All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to route data collected by Splunk Stream to a different indexer?

janispelss
Path Finder
‎05-11-2018 12:12 AM

I've been trying to test the Splunk Stream ap to collect some data I need from a Windows server. The forwarder installed on that server is already collecting some other data and sending it to the production cluster, and obviously I want to keep doing that. But since I'm still just testing the Splunk Stream app, I'd like to send data from it to a dev indexer, but I can't get that to work.

I have added the output group for the dev indexer to the forwarder, without setting it as the default output group in outputs.conf. This part seems to work correctly, since the internal logs of that forwarder are now sent both to the prod cluster and the dev indexer. However, adding it to the _TCP_ROUTING parameter in inputs.conf of the Splunk_TA_stream doesn't work. I've tried adding it to both [default] and [streamfwd://streamfwd] stanzas.

Other than that, the data collection seems to be working fine, and I can control what is being collected using the app installed on the dev indexer.

Would anyone be able to help with this?

0 Karma
Reply

dmuegge_splunk
Splunk Employee
Splunk Employee
‎08-16-2019 09:49 AM

Just as an update to this post as it may be out of date. I was able to successfully test _TCP_ROUTING for stream. The documentation at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad under the heading "Route inputs to specific indexers based on the data input" does work for the stream input.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2018 02:32 AM

First, you need to be using a Heavy Forwarder, and not a Universal Forwarder. Which do you have in your environment? Make sure you read the following : http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

It outlines requirements to do what you are describing.

Aside from the, run btool against your outputs on that forwarder and make sure your configuration is applied.

0 Karma
Reply

janispelss
Path Finder
‎05-14-2018 12:18 AM

So for the Splunk Stream inputs do I have to use props.conf and transforms.conf on a heavy forwarder? For other cases where I want to send different inputs to different indexers, I have been successfully using inputs.conf and outputs.conf on a Universal Forwarder, like in the "Route inputs to specific indexers based on the data input" of the documentation page you linked.

0 Karma
Reply

dmuegge_splunk
Splunk Employee
Splunk Employee
‎08-16-2019 09:52 AM

I know this is older but I ran across this post when testing this scenario. The _TCP_ROUTING method in "Route inputs to specific indexers based on the data input" in the docs worked as advertised with the stream input for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...