topic Re: universal forwarder with more than one outputs.conf in Getting Data In

universal forwarder with more than one outputs.conf

mamaral — Thu, 14 Apr 2011 01:21:10 GMT

I need to figure mine collection of universal forwarders to sent information to distinct tcp ports...

Basicaly:

*NIX sending to indexer on port 7700

Input A sending to indexer on port 7701

Input B sending to indexer on port 7702

and etc..

Could someone please help me?

Thanks

Amaral

Re: universal forwarder with more than one outputs.conf

Rob — Thu, 14 Apr 2011 02:20:28 GMT

I am not quite sure what you are looking to do. But if you are looking to configure a Universal Forwarder to forward all data to 3 different indexers for specific ports then you will want to create a stanza for each indexer in your outputs.conf file like this:

[tcpout]
defaultGroup=*

[tcpout:Nix]
server = xxx.xxx.xxx.xxx:7700

[tcpout:inputA]
server = xxx.xxx.xxx.xxx:7701

[tcpout:inputB]
server = xxx.xxx.xxx.xxx:7702

If you want some additional information from the Splunk documentation, here is a link for cloning data across indexes and here is a link for forwarding data to indexes.

Re: universal forwarder with more than one outputs.conf

gkanapathy — Thu, 14 Apr 2011 11:45:33 GMT

There's rarely a point in doing this. You can just send them all to the same port. The Splunk forwarding protocol includes identification of the source host (and the source file, the destination index, and other things) so there's usually not any need or advantage to using more than one port.

But if you really did need this for some reason (e.g., you're running multiple instances of Splunk on the host on different ports, or simply different hosts), you'd simply add a _TCP_ROUTING key to the inputs clause:

_TCP_ROUTING = destA

where destA is just the name of the output group in outputs.conf, e.g. destA in [tcpout:destA]