topic How to forward _internal to defaultGroup in Getting Data In

How to forward _internal to defaultGroup

ktn01 — Tue, 29 Sep 2020 12:50:16 GMT

Hello,
I have the following outputs defined on all my universal forwarders:

[tcpout]
defaultGroup = prod-group, valid-group

[tcpout:prod-group]
server = server1:9997

[tcpout:valid-group]
server = server2:9997

[tcpout:dev-group]
server = server3:9997

DefaultGroup may be different on some UF.

Inputs to index "_internal" are send to each output group because the file "$SPLUNKHOME/apps/SplunkUniversalForwarder/default/inputs.conf have the following contents:

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

I want to send these event only to groups defined as defaultGroup.

I presume I will have to create a new "local/inputs.conf" file with a redefinition of _TCP_ROUTING like

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = ????

But I have no idee of the definition I have to get to _TCP_ROUTING

Thanks

Re: How to forward _internal to defaultGroup

ktn01 — Tue, 29 Sep 2020 12:47:12 GMT

Hello,
I try

_TCP_ROUTING = $defaultGroup

_TCP_ROUTING = ""

and

_TCP_ROUTING =

but it doesn't work.

Re: How to forward _internal to defaultGroup

gcusello — Tue, 29 Sep 2020 12:50:19 GMT

Hi ktn01,
see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data.27s_input.
at first you don't need to insert _TCP_ROUTING = * when you want to route your events to all indexers because by default, when there isn't any _TCP_ROUTING option, events are routed to al indexers (with growth of license consumption!).
when you use _TCP_ROUTING there isn't a default group.
So, you have to:

define in outputs.conf your tcpout stanzas: prod-group, valid-group or dev-group;
copy all the stanzas with index = _internal from $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf;
insert in every stanza _TCP_ROUTING = prod-group (or valid-group or dev-group);
restart Splunk.

Before to do this, evaluate what you want to do with the other internal Splunk index (_audit).

bye.
Giuseppe

Re: How to forward _internal to defaultGroup

ktn01 — Tue, 29 Sep 2020 12:47:14 GMT

Hello,
I don't want to insert _TCP_ROUTING = "*". Splunk do it by default on app "Splunkforwarder". I don't want to modify the file on "default" directory.

I way is probable to redefine _TCP_ROUTING on "local" directory. It's easy to redirect event to "prod-group" or "valid-group". But how do I have to define _TCP_ROUTING to send events to the output(s) defined as defaultGroup ?

Re: How to forward _internal to defaultGroup

gcusello — Tue, 29 Sep 2020 12:50:22 GMT

Default is " to all indexers" : if you don't insert _TCP_ROUTING, you send to all indexers, if you insert _TCP_ROUTING, you send to the selected indexer/s.
Bye.
Giuseppe

Re: How to forward _internal to defaultGroup

goelli — Tue, 21 Mar 2017 16:09:44 GMT

I downvoted this post because it is not respecting the fact, that _TCP_Routing = * is set by Splunk's default on Universal Forwarders as stated already in the question.

Re: How to forward _internal to defaultGroup

htidore — Wed, 13 Dec 2017 14:05:41 GMT

More details on how to managed logs for _internal.

The _internal index are populated by the following stanzas:

$SPLUNK_HOME/etc/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
[monitor://$SPLUNK_HOME/etc/splunk.version]
$SPLUNK_HOME/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]

If we want to forward the logs only to "prod-group" then create the following in

$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
_TCP_ROUTING = prod-group