This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Set up your forwarding servers to balance outputs by sending events in a round-robin fashion to separate Splunk servers. To set up data balancing, add a stanza to outputs.conf.
Note: Data balancing is an advanced feature that you can configure in outputs.conf. However, the topology and input configuration does not display properly in Splunk Web's Admin > Distributed > View Topology page. This issue will be resolved in a future release.
Caution: Ensure that all instances of Splunk that are indexing data in a round-robin configuration have plenty of disk space. A current limitation of Splunk exists such that if a Splunk indexer runs out of disk space, all forwarders involved in the round-robin configuration will stop forwarding data to all Splunk indexers.
Edit $SPLUNK_HOME/etc/system/local/outputs.conf:
[tcpout:FooGroup] server=$IP:$PORT, $IP2:$PORT2, etc...
Specify the $IP:$PORT of the Splunk servers that will receive the forwarded data. You can enter any number of servers for Splunk to round-robin between. If one of the receiving servers goes down, the forwarder sends all events to the one that is still up, while simultaneously retrying the one that is down. If all servers are down, the forwarder goes into retry loops, and the queue fills according to the queue configuration parameters.
Also, you can optionally specify back off and queue settings in outputs.conf. For more information, read Configure outputs.conf.
[tcpout:SwanGroup] server=10.1.1.197:9997, 10.1.1.200:9999 [tcpout:PearlGroup] server=10.1.1.220:9997, 10.1.1.300:9999
With this configuration, Splunk clones every event into 2 round-robin target groups.