topic How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype in Getting Data In

How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1 — Tue, 29 Sep 2020 17:32:06 GMT

We have a scenario where we need to forward data from 1 directory to 2 different indexer clusters. While this is achievable through TCP Routing in inputs.conf, I believe the solution will only work if everything else remains the same in the monitoring stanza.
We need to send data to the 2 clusters with different index/sourcetype configuration. Is this possible using the same inputs.conf file?

We have observed that setting up 2 different stanzas for the same monitored directory results in only one of the stanzas being respected. Below is a description of the configuration.

[monitor:///A/B/C]
index = index1
sourcetype = st1
_TCP_ROUTING = cluster1

[monitor:///A/B/C]
index = index2
sourcetype = st2
_TCP_ROUTING = cluster2

The above configuration resulted in the data only flowing to cluster2. We tried differentiating the 2 stanzas by putting asterisk at the end of the directory name, but it didn't make a difference.

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

mayurr98 — Wed, 10 Jan 2018 11:05:53 GMT

have a look at this answer
https://answers.splunk.com/answers/108295/sending-two-inputs-from-one-universal-forwarder-to-two-different-indexers-not-load-balancing.html

Let me know if this helps you!

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

gcusello — Wed, 10 Jan 2018 11:15:01 GMT

Hi tusharsaran1,
you have two solutions to your problem:

use symbolic link,
override sourcetype.

For symbolic link you have to use symlink and configure two stanzas in inputs.conf.

To override sourcetype see https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides .

If possible I suggest the second one.

Bye.
Giuseppe

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1 — Wed, 10 Jan 2018 11:15:54 GMT

Not exactly. I have edited my question's original description to provide more context.

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

mayurr98 — Wed, 10 Jan 2018 11:30:04 GMT

i have edited the answer pls check

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1 — Wed, 10 Jan 2018 11:33:36 GMT

I am not sure if the second solution is going to work for us. The documentation that you shared talks about overriding sourcetypes on a per-event basis. We need to configure different sourcetypes on a directory basis. Moreover, we also need to assign different indexes.
Can you provide some more info about symlinks here? How should we use symlinks to suit our requirements? Do you mean we should just create a symlink and then have 2 monitor stanzas (one for the original dir and one for the symlink) ? If yes, then I think this is a good idea.
Also, why do you prefer the second approach?

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

gcusello — Tue, 29 Sep 2020 17:36:18 GMT

Hi tusharsaran1,
I prefer second approach because in this way I have more control on the operation managing it on the indexers.
In this way you configure one of your clusters indexers to change sourcetype for a specified sourcetype:
e.g. if I have a sourcetype called S_one and I want to change in S_two I use

in props.conf

[S_One]
TRANSFORMS-S_One = Override_S_One

In transforms.conf

[Override_S_One]
REGEX = .
FORMAT = sourcetype::Override_S_One
DEST_KEY = MetaData:Sourcetype

About symlink, yes you create a symlink and then you have two stanzas in inputs.conf.
remember to put in your symlink stanza the following items:

crcSalt = <SOURCE>
followSymlink = true

Bye.
Giuseppe

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1 — Wed, 10 Jan 2018 13:35:25 GMT

Thanks for your response Giuseppe. What we observed during our testing earlier was that fishbucket was preventing the files in the dir to be sent to both clusters because it respected only 1 stanza and ignored the file when it encountered the second stanza.
When we use symlinks, won't we run into the same issue again as the actual file names (including absolute path) would still remain the same?

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

gcusello — Wed, 10 Jan 2018 13:40:41 GMT

Hi tusharsaran1,
did you used crcSalt = <SOURCE> and followSymlink = true in symlink stanza?
I have some situations managed with symlink and they correctly run.

Bye.
Giuseppe

Re: How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1 — Wed, 10 Jan 2018 15:42:49 GMT

I meant when we did the testing without symlinks, we ran into issues with fishbucket. I am accepting this answer for now as I am going to create symlinks to test it out. I'll reopen the communication if the solution doesn't work for us.