https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400785#M71377 <P>Thanks for your reply. But here's what I've found. Taking your suggestion I've tried all different combinations of _TCP_ROUTING and defaultGroup. If a server is in the defaultGroup it gets all data from all the apps. If it's not it gets nothing. _TCP_routing has no effect no matter which server is in it. The statement seems to be completely ignored.</P> Tue, 29 Sep 2020 20:51:34 GMT JarrettM 2020-09-29T20:51:34Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400781#M71373 <P>We soon will be required to send our Windows Event Security logs to a separate Splunk sever owned by our organization's Security group. To test this, I installed a test Splunk server (testsplunk in below files). I first tested that I could send all events to both Splunk indexers. Here are are outputs.conf and inputs.conf from the Splunk Universal Forwarder client I used in this first test:</P> <PRE><CODE>$SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = mysplunk, testsplunk [tcpout:mysplunk] server = mysplunk.com:9997 [tcpout:testsplunk] server = testsplunk.com:9997 $SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf [WinEventLog://Security] disabled = 0 index = winevent </CODE></PRE> <P>In this case both servers received all events as expected (including events from 3 other apps not shown here). In the next test I wanted mysplunk to continue receive all events and testsplunk to only get [WinEventLog://Security] To accomplish this I took testsplunk out of the defaultGroup and modified inputs.conf as shown below:</P> <PRE><CODE>$SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = mysplunk [tcpout:mysplunk] server = mysplunk.com:9997 [tcpout:testsplunk] server = testsplunk.com:9997 $SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf [WinEventLog://Security] _TCP_ROUTING = mysplunk, testsplunk disabled = 0 index = winevent </CODE></PRE> <P>After restarting the SplunkForwarder, mysplunk did keep receiving all events but testsplunk now got nothing. <BR /> What am I missing?</P> Mon, 13 Aug 2018 18:27:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400781#M71373 JarrettM 2018-08-13T18:27:57Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400782#M71374 <P>Get rid of <CODE>mysplunk</CODE> group from <CODE>_TCP_ROUTING</CODE> and this should route security event logs to <CODE>testsplunk</CODE> and other data to <CODE>mysplunk</CODE>.</P> <PRE><CODE>[WinEventLog://Security] _TCP_ROUTING = testsplunk disabled = 0 index = winevent </CODE></PRE> <P>Your outputs.conf looks good. </P> Mon, 13 Aug 2018 19:31:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400782#M71374 sudosplunk 2018-08-13T19:31:51Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400783#M71375 <P>Hi,</P> <P>Try adding testsplunk to the default group, else exclude the default group. <BR /> This will enable [WinEventLog://Security] logs to both mysplunk and testsplunk</P> Mon, 13 Aug 2018 20:24:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400783#M71375 pruthvikrishnap 2018-08-13T20:24:00Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400784#M71376 <P>Thanks for your reply. But here's what I've found. I've tried all different combinations of _TCP_ROUTING and defaultGroup. If a server is in the defaultGroup it gets all data from all the apps. If it's not it gets nothing. _TCP_routing has no effect no matter which server is in it. The statement seems to be completely ignored</P> Tue, 29 Sep 2020 20:51:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400784#M71376 JarrettM 2020-09-29T20:51:31Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400785#M71377 <P>Thanks for your reply. But here's what I've found. Taking your suggestion I've tried all different combinations of _TCP_ROUTING and defaultGroup. If a server is in the defaultGroup it gets all data from all the apps. If it's not it gets nothing. _TCP_routing has no effect no matter which server is in it. The statement seems to be completely ignored.</P> Tue, 29 Sep 2020 20:51:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400785#M71377 JarrettM 2020-09-29T20:51:34Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400786#M71378 <P>I've tested this and was able to route events as desired.<BR /> <STRONG>_TCP_ROUTING=testsplunk</STRONG> will (and should) route data (from respective monitor stanza) to 'testsplunk' group. <BR /> defaultGroup=mysplunk (in ouputs.conf) will route all other data (including _internal logs) to 'mysplunk' group. If this is not working, then please check for typos and see that there isn't any precedence issue. On forwarder, run this command to check various inputs.conf settings which splunk is taking into consideration. <BR /> <CODE>From $SPLUNK_HOME/bin/, splunk btool inputs list --debug</CODE></P> <P>Just reminding, forwarder must be restarted for the changes to take effect. More information about, <A href="http://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input" target="_blank">Route inputs to specific indexers based on the data input</A> </P> Tue, 29 Sep 2020 20:54:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400786#M71378 sudosplunk 2020-09-29T20:54:45Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400787#M71379 <P>Thanks. I obviously have a mis-configuration somewhere. I'll keep hacking at it and let you know when I figure it out.</P> Tue, 14 Aug 2018 13:09:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400787#M71379 JarrettM 2018-08-14T13:09:13Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400788#M71380 <P>Did you ever figure out a fix for this issue? I am seeing the exact same behavior for our windows inputs.</P> Wed, 12 Dec 2018 15:33:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400788#M71380 JLewis21 2018-12-12T15:33:41Z https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400789#M71381 <P>it is case sensitive... so ALL CAPS on that _TCP_ROUTING part. </P> Tue, 29 Sep 2020 23:59:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-TCP-ROUTING-work-in-inputs-conf/m-p/400789#M71381 joesrepsolc 2020-09-29T23:59:41Z