https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134607#M27665 <P>Hi,</P> <P>I want to send my log files to two different Splunk instances, but the data is only only being sent to one of the two environments. </P> <P>outputs.conf:</P> <PRE><CODE>[tcpout] defaultGroup=noredirect disabled = false maxQueueSize = 500KB [tcpout:twd104] server = 10.9.3.35:9997 [tcpout:splunk_prod] server = splunk-indexer01.rotterdam.local:9997,splunk-indexer02.rotterdam.local:9997 </CODE></PRE> <P>inputs.conf:</P> <PRE><CODE>[monitor:///var/log/mule/.../*] _TCP_ROUTING=splunk_prod disabled = false followTail = 0 sourcetype = log4j index = acc_abkr [monitor:///var/log/mule/.../*] _TCP_ROUTING=twd104 disabled = false followTail = 0 sourcetype = log4j </CODE></PRE> <P>The data is only send to splunk_prod.</P> <P>Why is this not working?</P> Wed, 22 Jul 2015 08:03:38 GMT arjangoos 2015-07-22T08:03:38Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134607#M27665 <P>Hi,</P> <P>I want to send my log files to two different Splunk instances, but the data is only only being sent to one of the two environments. </P> <P>outputs.conf:</P> <PRE><CODE>[tcpout] defaultGroup=noredirect disabled = false maxQueueSize = 500KB [tcpout:twd104] server = 10.9.3.35:9997 [tcpout:splunk_prod] server = splunk-indexer01.rotterdam.local:9997,splunk-indexer02.rotterdam.local:9997 </CODE></PRE> <P>inputs.conf:</P> <PRE><CODE>[monitor:///var/log/mule/.../*] _TCP_ROUTING=splunk_prod disabled = false followTail = 0 sourcetype = log4j index = acc_abkr [monitor:///var/log/mule/.../*] _TCP_ROUTING=twd104 disabled = false followTail = 0 sourcetype = log4j </CODE></PRE> <P>The data is only send to splunk_prod.</P> <P>Why is this not working?</P> Wed, 22 Jul 2015 08:03:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134607#M27665 arjangoos 2015-07-22T08:03:38Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134608#M27666 <P>Hi, </P> <P>My guess is that Splunk ignores your second input because all data is already read with the first input since both inputs are matching the same monitoring pattern. </P> <P>You don't want two Inputs for the same source. What might help you is a second target group for your input. </P> <P>What you need is something like:</P> <PRE><CODE>[tcpout] defaultGroup= &lt;target_group1&gt; , &lt;target_group2&gt; [tcpout:&lt;target_group1&gt;] server= &lt;receiving_server1&gt; , &lt;receiving_server2&gt; [tcpout:&lt;target_group2&gt;] server= &lt;receiving_server3&gt; </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Configureforwarderswithoutputs.confd">http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Configureforwarderswithoutputs.confd</A></P> Wed, 22 Jul 2015 14:07:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134608#M27666 hgrow 2015-07-22T14:07:15Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134609#M27667 <P>this is not working, the data gets sent to one target-group but not to the two groups at the same time.</P> Thu, 23 Jul 2015 09:31:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134609#M27667 arjangoos 2015-07-23T09:31:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134610#M27668 <P>That's strange. I wasnt able to rebuild your problem but according to the docs its what you need for <STRONG>data cloning</STRONG>. </P> <BLOCKQUOTE> <P>Data cloning</P> <P>To perform data cloning, specify multiple target groups, each in its own stanza. In data cloning, the forwarder sends copies of all its events to the receivers in two or more target groups. Data cloning usually results in similar, but not necessarily exact, copies of data on the receiving indexers. Here's an example of how you set up data cloning:</P> </BLOCKQUOTE> <PRE><CODE>[tcpout] defaultGroup=indexer1,indexer2 [tcpout:indexer1] server=10.1.1.197:9997 [tcpout:indexer2] server=10.1.1.200:9997 </CODE></PRE> <BLOCKQUOTE> <P>The forwarder will send duplicate data streams to the servers specified in both the indexer1 and indexer2 target groups. </P> </BLOCKQUOTE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Configureforwarderswithoutputs.confd">http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Configureforwarderswithoutputs.confd</A></P> <P>Can you post your changed inputs.conf and outputs.conf ?</P> Thu, 23 Jul 2015 13:54:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134610#M27668 hgrow 2015-07-23T13:54:43Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134611#M27669 <P>Hi arjangoos.</P> <P>I'm not sure if your problem is stil relevant, but i've done some tests. Here is a working configuration:</P> <P>inputs.conf </P> <PRE><CODE>[monitor:///opt/splunkdata/testdata.log] disabled = false index = main sourcetype = test _TCP_ROUTING = indexer1,indexer2 </CODE></PRE> <P>outputs.conf</P> <PRE><CODE>[tcpout] indexAndForward=true defaultGroup=discard [tcpout:indexer1] server=192.168.111.246:9997 [tcpout:indexer2] server=192.168.111.245:9997 [tcpout:discard] disabled = true </CODE></PRE> <P>In addition to my previous posts you define multiple tcpout_groups for the _TCP_ROUTING directly in your input. In this way you can use default routing functionality within the default stanza <A href="https://community.splunk.com/like%20your%20example" target="_blank">tcpout</A> for something else.</P> Tue, 29 Sep 2020 06:49:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134611#M27669 hgrow 2020-09-29T06:49:34Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134612#M27670 <P>I agree with hgrow. I don't think you can have 2 stanzas dealing with the same log source.</P> <P>So instead of using _TCP_ROUTING in inputs, use props and transforms.</P> <P>props.conf (Not sure about the source.)</P> <PRE><CODE>[source::///var/log/mule/.../*] TRANSFORMS-routingto2splunks = log_to_splunk1, log_to_splunk2 </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[log_to_splunk1] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = splunk_prod [log_to_splunk2] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = twd104 </CODE></PRE> Tue, 29 Sep 2020 06:48:03 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-TCP-ROUTING-configuration-not-working-as-expected-to/m-p/134612#M27670 dfronck 2020-09-29T06:48:03Z