Enable sending internal logs from other Splunk servers

[justinrush]

My use case for using the operator is to hold _internal logs for my existing Splunk cluster. The operator creates a service for all the ports on the indexer cluster, but creating an ingress for the s2s port seems to result in splunkd on external boxes trying to connect directly to the IP, which obviously won't work as it is an L7 load balancer. I created a service for the s2s port and exposed with a L4 LB - its not that hard to manually create that service, but it would be great if there was a way to do that with the CRDs.

Exposing it with an L4 allowed me to edit outputs.conf on other Splunk servers to send _internal logs over, but the service is stomping on the host attribute and that host attribute is set to whatever indexer receives the logs. Not sure why that is.

[mikedickey]

Note that you can use the CRD parameter serviceTemplate to override the service parameters used by operator for the (non-headless) services it creates, including changing "type: LoadBalancer." You can also use an ingress controller, which is the recommended approach.

I don't follow the issue you are having with _internal logs. Would you explain that further?

[michal-tatusko-splunk]

Please follow the mikedickey's suggestion as it should address your use case. We will also make sure to include it in our Reference Architecture documentation.