Forward cloned data to multiple receivers
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Forward cloned data to multiple receivers
With cloning enabled, a Splunk forwarder sends its data to two or more other Splunk instances.
Important: This does not guarantee two or more exactly identical indexes; if one of the receivers becomes unavailable, data is only sent to the receivers that are available. This can result in non-identical indexes.
Configure cloning in Splunk Manager or in outputs.conf on the forwarding server. Set up a target group of receiving servers to which the forwarder sends all its data.
On the forwarding server, add the following to $SPLUNK_HOME/etc/system/local/outputs.conf:
[tcpout] defaultGroup = indexer1, indexer2 heartbeatFrequency=10 maxQueueSize=10000 [tcpout:indexer1] server=10.1.1.197:9997 [tcpout:indexer2] server=10.1.1.200:9999
This configuration will send every event to both 10.1.1.197:9997 and 10.1.1.200:9999. Make sure you enable receiving on all the servers you are sending cloned data to.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.