All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can the Splunk Add-on for AWS forward to a non-default indexer cluster?

scombs
Path Finder
‎06-02-2023 02:53 PM

Is it possible to forward different Splunk Add-on for AWS inputs to different indexer clusters?   We have a heavy forwarder using Splunk_TA_aws and standard defaultGroup=<clusterlabel>, indexerDiscovery, etc configured in etc/system/local/outputs.conf.  At present, all the AWS inputs are forwarded to indexes contained within the default indexer cluster.  However, we now have an AWS input which we want to forward to an index in a different indexer cluster.  Are there options within either the etc/apps/Splunk_TA_aws/local/ or other .conf files that will allow us to, say, add a second [tcpout:Cluster2] stanza into outputs.conf and then forward  events from this new AWS input to it?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2023 03:54 AM

Hi

i haven’t do it with AWS TA, but I suppose that you could do it with these instructions https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad

r. Ismo

Reply

scombs
Path Finder
‎06-09-2023 07:54 PM

Thanks r.

I didn't try your solution, but another colleague got it working with the following configuration.

 

 

../etc/system/local/outputs.conf
[indexer_discovery:first_cluster_label]
master_uri = https://mm.mm.mm.mm:8089
passSymmKey = $asdfasfasdfasfasdfasdfas=
. . .
[indexer_discovery:second_cluster_label]
master_uri = https://nn.nn.nn.nn:8089
passSymmKey = $zxcvzxcvzxcvzxcvzxcvzxcv=
. . .
[tcpout:FirstClusterName]
autoLBFrequency = 30
indexerDiscovery = first_cluster_label
. . .
[tcpout:SecondClusterName]
autoLBFrequency = 30
indexerDiscovery = second_cluster_label
. . .
[tcpout]
defaultGroup = FirstClusterName
. . .


../etc/apps/Splunk_TA_aws/inputs.conf
[aws_sqs_based_s3://First_SQS_S3_Import]
# Uses defaultGroup.
. . .
[aws_sqs_based_s3://Second_SQS_S3_Import]
_TCP_ROUTING = SecondClusterName
. . .

 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-10-2023 12:07 AM
This is exactly the same solution what I propose. It’s even better learning experience that you are solving it by yourself;-)
Happy splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...