https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316946#M94818 <P>I don't believe the _TCP_ROUTING is written into metadata for each event. It's an attribute used by Splunk engine (of heavy forwarder/indexer) to route events to different queue/ tcpout groups, it's not assigned to event.</P> Tue, 29 Sep 2020 14:59:00 GMT somesoni2 2020-09-29T14:59:00Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316945#M94817 <P>Hello all</P> <P>Is there a way you can query event's _TCP_ROUTING key value in a search? I would assume you should be able to since its being written in the events meta. We have bit of a complicated data routing and filtering issue and a search like this would be super helpful.</P> <P>Thanks!</P> Tue, 29 Sep 2020 14:56:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316945#M94817 jcspigler2010 2020-09-29T14:56:53Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316946#M94818 <P>I don't believe the _TCP_ROUTING is written into metadata for each event. It's an attribute used by Splunk engine (of heavy forwarder/indexer) to route events to different queue/ tcpout groups, it's not assigned to event.</P> Tue, 29 Sep 2020 14:59:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316946#M94818 somesoni2 2020-09-29T14:59:00Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316947#M94819 <P>Correct, hence converted to answer for your convenience. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 19 Jul 2017 18:55:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316947#M94819 s2_splunk 2017-07-19T18:55:14Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316948#M94820 <P>Thanks somesoni2!</P> <P>Sorry for the delay in credit. Was onsite with a customer all day. If you would be so kind to humor my next question. I can always start another thread if need be.</P> <P>But we have an odd requirement at a client site where they index EVERYTHING sent from a heavy forwarder to an indexer and then send 2 or 3 source types off to a remote indexer. Now I know this isn't the conventional or best practice way of doing stuff, but due to political and environment boundaries, they have to forward data from the indexer and not the HF. HF would obviously be the optimal place to do this. So my question is, can we set the _TCP_ROUTING key at the HF level, and use it for routing and forwarding decisions at the indexer level? I guess the question generalized, does the DEST_KEY and FORMAT values persist from splunk instance to splunk instance or is just internal to that instance. I am going to test this out this week but figured someone would already have the answer.</P> <P>Thanks!</P> Tue, 29 Sep 2020 14:57:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316948#M94820 jcspigler2010 2020-09-29T14:57:20Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316949#M94821 <P>The routing transformation are applied during cooking/parsing of data, which will be done at Heavy forwarder level in your use case. Once cooked/parsed at HF level, it won't be parsed again (default and understandably) at indexer level. Now you can configure Indexers to re-parse the data but a) not recommended, b) it can't be done for a single sourcetype, but will be done for all data coming to indexers. So, basically you'll be doing double processing, consuming double resources and double latency for parsing. If that's something you can live with, see this on how to implement it.</P> <P><A href="https://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible.html">https://answers.splunk.com/answers/97918/reparsing-cooked-data-coming-from-a-heavy-forwarder-possible.html</A><BR /> <A href="https://answers.splunk.com/answers/224312/hf1-hf2-indexer-how-to-route-a-set-of-data-that-ha.html">https://answers.splunk.com/answers/224312/hf1-hf2-indexer-how-to-route-a-set-of-data-that-ha.html</A></P> <P>One more thing, you'll need to ensure that your Indexers have all the props.conf/transforms.conf that are in Heavy forwarder (because of re-parsing).</P> Wed, 19 Jul 2017 21:07:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316949#M94821 somesoni2 2017-07-19T21:07:14Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316950#M94822 <P>Thanks somesoni2</P> Wed, 19 Jul 2017 21:22:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316950#M94822 jcspigler2010 2017-07-19T21:22:53Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316951#M94823 <P>Hmmmm, while semantically correct, I don't think that's applicable. You should be able to affect TCP routing wherever you have an outputs.conf. Functionally, an indexer is nothing other than a heavy forwarder that writes to disk, so you should be able to that there as well.</P> Thu, 20 Jul 2017 22:01:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316951#M94823 s2_splunk 2017-07-20T22:01:49Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316952#M94824 <P>But after lot trials, not able to forward data from indexers.</P> Fri, 15 Sep 2017 11:36:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316952#M94824 anand_singh17 2017-09-15T11:36:31Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316953#M94825 <P>Are you sure you followed the <A href="http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding">documentation on the topic</A> and placed the appropriate configuration files in the appropriate places?</P> <P>IndexAndForward should work just fine on an indexer...?</P> Fri, 15 Sep 2017 21:25:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316953#M94825 s2_splunk 2017-09-15T21:25:41Z https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316954#M94826 <P>Hi Ssievert,</P> <P>We do not have HF, where we can apply these configs.</P> <P>We have 500 devices and have 98% of them sending data from UF, so as per optimization, we did not go for HF. </P> <P>When applying the settings, UF is not able to process them.</P> Sun, 17 Sep 2017 05:02:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-query-TCP-ROUTING-key-value/m-p/316954#M94826 anand_singh17 2017-09-17T05:02:08Z