https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209721#M41313 <P>I thought this was because the intermediate indexer sending cooked data to the final indexer? If so I was thinking that using the route settings as <A href="http://answers.splunk.com/answers/5528/forwarding-select-data-in-my-environment.html">described in this answer</A> would make sure the data goes though the parsing queues again. Does setting you mention for default-mode.conf do something similar? Thanks..</P> Fri, 11 Sep 2015 04:35:54 GMT cramasta 2015-09-11T04:35:54Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209718#M41310 <P>Our Splunk instance is currently receiving data from a remote Splunk instance. The remote indexer is sending data (many hosts with many different sourcetypes) to our indexers over TCP port 9998. We are interested in forcing this data to be collected in a custom index.</P> <P>I have confirmed that we are receiving data from the remote Splunk on port 9998, however, it is not being collected in the desired index. The following are the inputs.conf, props.conf, and transforms.conf which I currently have in place:</P> <P>inputs.conf</P> <P>[splunktcp://:9998]</P> <H1>index=CustomIndex</H1> <P>props.conf</P> <P>[source::tcp:9998]</P> <H1>TRANSFORMS-force_index = setIndexMeta</H1> <P>transforms.conf</P> <P>[setIndexMeta]<BR /> DEFAULT_VALUE = unknown<BR /> REGEX = (.)<BR /> DEST_KEY = _MetaData:Index</P> <H1>FORMAT = CustomIndex</H1> <P>I would appreciate assistance with this.</P> Tue, 29 Sep 2020 07:11:45 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209718#M41310 adamblock2 2020-09-29T07:11:45Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209719#M41311 <P>Forget <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> and just do this inside <CODE>$SPLUNK_HOME/etc/apps/MyApp/default/inputs.conf</CODE>:</P> <PRE><CODE>[splunktcp://:9998] index=CustomIndex sourcetype=MySourceType </CODE></PRE> <P>You also need to make sure you check/add this inside <CODE>$SPLUNK_HOME/etc/system/local/default-mode.conf</CODE> (it defaults to disabled):</P> <PRE><CODE>[pipeline:tcp] disabled = false </CODE></PRE> <P>Then you need to bounce all Splunk instances on the servers that get these files.</P> Fri, 11 Sep 2015 03:46:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209719#M41311 woodcock 2015-09-11T03:46:11Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209720#M41312 <P>In addition: The lines in <CODE>default-mode.conf</CODE> are only needed if this will be done on a forwarder.</P> Fri, 11 Sep 2015 03:52:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209720#M41312 MuS 2015-09-11T03:52:34Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209721#M41313 <P>I thought this was because the intermediate indexer sending cooked data to the final indexer? If so I was thinking that using the route settings as <A href="http://answers.splunk.com/answers/5528/forwarding-select-data-in-my-environment.html">described in this answer</A> would make sure the data goes though the parsing queues again. Does setting you mention for default-mode.conf do something similar? Thanks..</P> Fri, 11 Sep 2015 04:35:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209721#M41313 cramasta 2015-09-11T04:35:54Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209722#M41314 <P>What do you mean by "intermediate indexer"? What is your architecture?</P> Fri, 11 Sep 2015 04:51:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209722#M41314 woodcock 2015-09-11T04:51:24Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209723#M41315 <P>Sounds like from the original poster that they are receiving data from another indexer. Thought the data might be fully cooked by the time it gets to him and not go though the parsing queues to set the the new index.</P> <P>"The remote indexer is sending data to our indexers over TCP port 9998"</P> Fri, 11 Sep 2015 05:11:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209723#M41315 cramasta 2015-09-11T05:11:17Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209724#M41316 <P>It sounds like the OP has a remote Splunk instance and is forwarding data from that instance to his main instance. He wants to force the data coming from the remote instance into a certain "special" index and not into the main/default/or whatever index the remote instance is putting the data into.</P> <P>If parsing is already done by something else then the indexer is going to ignore the props and transforms, so I see why you said that they can be forgotten. But he has the index in inputs and it seems that it still isn't working.</P> Fri, 11 Sep 2015 12:57:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209724#M41316 jclehmuth 2015-09-11T12:57:08Z https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209725#M41317 <P>"When you forward structured data to an indexer, Splunk Enterprise does not parse this data once it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:</P> <P>parsing<BR /> aggregation<BR /> typing<BR /> The forwarded data must arrive at the indexer already parsed."<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/Forwarding/Routeandfilterdatad" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.1.4/Forwarding/Routeandfilterdatad</A> </P> <P>An expensive work around could be done by adding this to the inputs.conf</P> <P><CODE>[splunktcp://9998]<BR /> route=has_key:_utf8:parsingQueue;has_key:_linebreaker:parsingQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue<BR /> </CODE><BR /> Found here:<BR /> <A href="http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible.html" target="_blank">http://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible.html</A><BR /> <A href="http://answers.splunk.com/answers/5528/forwarding-select-data-in-my-environment.html" target="_blank">http://answers.splunk.com/answers/5528/forwarding-select-data-in-my-environment.html</A></P> Tue, 29 Sep 2020 07:11:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-data-received-from-a-remote-Splunk-instance-not-being/m-p/209725#M41317 jclehmuth 2020-09-29T07:11:58Z