https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343405#M63236 <P>Yes, I checked. It's writing only to the first index and passing the same to group1 indexers.</P> Thu, 21 Sep 2017 14:53:27 GMT arunsunny 2017-09-21T14:53:27Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343398#M63229 <P>Hi All,</P> <P>Facing few challlenges, mine is playing around with the same transforms.</P> <P>I'm trying to achieve the same source data to forward to two different logical indexes and two different indexers groups. </P> <P>Below is my senrio.</P> <P>In props.conf used </P> <P>[source::Dual_Data_Testing]<BR /> TRANSFORMS-source = Stan1, Stan2</P> <P>In transforms.conf</P> <P>[Stan1]<BR /> SOURCE_KEY = MetaData:Source<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = Index1<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = IndexerGroup1</P> <P>[Stan2]<BR /> SOURCE_KEY = MetaData:Source<BR /> REGEX = .<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = Index2<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = IndexerGroup2</P> <P>Currently the above conf is not working.</P> <P>Please any suggestion can we workaround for this ?</P> <P>Thanks,<BR /> Arun Sunny</P> Tue, 29 Sep 2020 15:49:28 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343398#M63229 arunsunny 2020-09-29T15:49:28Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343399#M63230 <P>Hi arunsunny,<BR /> do you want to send all logs to:</P> <UL> <LI>both the indexers groups,</LI> <LI>selectively some logs to one group, some other to another group and some logs to both the groups?</LI> </UL> <P>if the first, you don't need to configure props and transforms, you have only to configure outputs.conf</P> <PRE><CODE>[tcpout:Group1] defaultGroup = default-autolb-group [tcpout-server://xx.xxx.xxx.xx:9997] [tcpout-server://yy.yyy.yyy.yy:9997] [tcpout:default-autolb-group] server = xx.xxx.xxx.xx:9997, yy.yyy.yyy.yy:9997 disabled = false [tcpout:Group2] server=aa.aaa.aaa.aa:9997, bb.bbb.bbb.bb:9997 disabled = false [tcpout-server://aa.aaa.aaa.aa:9997] [tcpout-server://bb.bbb.bbb.bb:9997] </CODE></PRE> <P>If the second, follow <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A><BR /> In other words you have to configure an outputs.conf as above and in every inputs.conf stanza put:</P> <UL> <LI>_TCP_ROUTING=Group1 for logs to send only to Indexers Group1</LI> <LI>_TCP_ROUTING=Group2 for logs to send only to Indexers Group2</LI> <LI>nothing for logs to send to both the Indexers Groups</LI> </UL> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 15:49:31 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343399#M63230 gcusello 2020-09-29T15:49:31Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343400#M63231 <P>try this</P> <P>inputs.conf<BR /> [monitor://filepath1]<BR /> index=index1<BR /> _TCP_ROUTING = indexergroup1</P> <P>[monitor://filepath1]<BR /> index=index2<BR /> _TCP_ROUTING = indexergroup2</P> <P>Outputs.conf</P> <P>[tcpout:indexergroup1]<BR /> server=server1:9997</P> <P>[tcpout:indexergroup2]<BR /> server=server2:9997</P> Tue, 29 Sep 2020 15:49:33 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343400#M63231 sbbadri 2020-09-29T15:49:33Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343401#M63232 <P>Actually, I was trying for one of the DB input sources, so I cant duplicate the monitor stanza in inputs.conf</P> <P>Thanks,</P> Wed, 20 Sep 2017 16:28:28 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343401#M63232 arunsunny 2017-09-20T16:28:28Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343402#M63233 <P>try this,</P> <P>#props.conf <BR /> [source::Dual_Data_Testing]<BR /> sourcetype=sourcetype1</P> <P>[source::Dual_Data_Testing]<BR /> sourcetype=sourcetype2</P> <P>[sourcetype1]<BR /> TRANSFORMS-index_outputgroup1 = overrideindex1,outputgroup1</P> <P>[sourcetype2]<BR /> TRANSFORMS-index_outputgroup2 = overrideindex2,outputgroup2</P> <P>Transforms.conf</P> <P>[overrideindex1]<BR /> DEST_KEY =_MetaData:Index<BR /> REGEX = .<BR /> FORMAT = my_new_index1</P> <P>[overrideindex2]<BR /> DEST_KEY =_MetaData:Index<BR /> REGEX = .<BR /> FORMAT = my_new_index2</P> <P>[outputgroup1]<BR /> REGEX=(.)<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=outputgroup11</P> <P>[outputgroup2]<BR /> REGEX=(.)<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=outputgroup22</P> <P>Outputs.conf</P> <P>[tcpout:outputgroup11]<BR /> server=server1:9997</P> <P>[tcpout:outputgroup22]<BR /> server=server1:9997</P> Tue, 29 Sep 2020 15:49:50 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343402#M63233 sbbadri 2020-09-29T15:49:50Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343403#M63234 <P>Its working fine for one output group and other is completely stopped sending events <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> .</P> Thu, 21 Sep 2017 08:57:13 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343403#M63234 arunsunny 2017-09-21T08:57:13Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343404#M63235 <P>Did you check data is writing on both the index and sourcetype.</P> Thu, 21 Sep 2017 14:47:44 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343404#M63235 sbbadri 2017-09-21T14:47:44Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343405#M63236 <P>Yes, I checked. It's writing only to the first index and passing the same to group1 indexers.</P> Thu, 21 Sep 2017 14:53:27 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343405#M63236 arunsunny 2017-09-21T14:53:27Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343406#M63237 <P>And I believe we can play around only once in _MetaData key values in transforms.conf . </P> Thu, 21 Sep 2017 16:04:22 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343406#M63237 arunsunny 2017-09-21T16:04:22Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343407#M63238 <P>yeah thus why i have two different sourcetype for a source. But you mentioned that it is writing to only one sourcetype. May be you can try one with _TCP_ROUTING and another with _SYSLOG_ROUTING. </P> <P>Check the below link,<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad</A><BR /> Topic: Replicate a subset of data to a third-party system</P> Tue, 29 Sep 2020 15:50:35 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-same-source-data-to-two-different-logical-indexes/m-p/343407#M63238 sbbadri 2020-09-29T15:50:35Z