<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk Default group in Installation</title>
    <link>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/524620#M6792</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206557"&gt;@pankajupadhyay&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;yopu can find all the infos at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input&lt;/A&gt;&lt;/P&gt;&lt;P&gt;in few words:&lt;/P&gt;&lt;P&gt;you have to modify your outputs.conf, adding the second groupo and deleting the default group&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997&lt;/LI-CODE&gt;&lt;P&gt;Then, in inputs.conf, you have to address each input&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor://.../file1.log]
_TCP_ROUTING = systemGroup

[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
    <pubDate>Wed, 14 Oct 2020 13:18:11 GMT</pubDate>
    <dc:creator>gcusello</dc:creator>
    <dc:date>2020-10-14T13:18:11Z</dc:date>
    <item>
      <title>Splunk Default group</title>
      <link>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/524617#M6791</link>
      <description>&lt;P&gt;On forwarder, We have placed in the outputs.conf as default group of indexer so in this case all the logs by default forward to Indexer.&lt;/P&gt;&lt;P&gt;But if i do not want to send specific logs to indexer which is in default group then what need to be done?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Please help&lt;/P&gt;</description>
      <pubDate>Wed, 14 Oct 2020 13:11:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/524617#M6791</guid>
      <dc:creator>pankajupadhyay</dc:creator>
      <dc:date>2020-10-14T13:11:22Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Default group</title>
      <link>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/524620#M6792</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206557"&gt;@pankajupadhyay&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;yopu can find all the infos at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input&lt;/A&gt;&lt;/P&gt;&lt;P&gt;in few words:&lt;/P&gt;&lt;P&gt;you have to modify your outputs.conf, adding the second groupo and deleting the default group&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997&lt;/LI-CODE&gt;&lt;P&gt;Then, in inputs.conf, you have to address each input&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor://.../file1.log]
_TCP_ROUTING = systemGroup

[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 14 Oct 2020 13:18:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/524620#M6792</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-10-14T13:18:11Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Default group</title>
      <link>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/535320#M7056</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352"&gt;@gcusello&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;As per below configuration is should send the data to vesxi but it is sending the logs to Indexers as well.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you please let me know is there any wrong with configuration ?&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;outputs.conf&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;[tcpout:Indexers]&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;server = 10.1.1.1:9996,10.1.1.2:9997&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;[tcpout:vesxi]&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;server = 10.20.20.20:519&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;sendCookedData = false&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;disabled = false&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;Transforms.conf&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;[vmwaresxilogs]&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;REGEX = (logged out|Rejected password for user|Cannot login|logged in as|Accepted user for user|was updated on host|Password was changed for account|Destroy VM called)&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;DEST_KEY = _TCP_ROUTING&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;FORMAT = vesxi&amp;nbsp;&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;props.conf&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;[vmw-syslog]&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;TRANSFORMS-routing=vmwaresxilogs&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 11 Jan 2021 09:25:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Installation/Splunk-Default-group/m-p/535320#M7056</guid>
      <dc:creator>pankajupadhyay</dc:creator>
      <dc:date>2021-01-11T09:25:12Z</dc:date>
    </item>
  </channel>
</rss>

