- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: I need help in sending data to two output type...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to send data to two output types, [tcpout] and [httpout]?
I need help in sending data to two output types, [tcpout] and [httpout].
Is this possible? Because when I am using outputs.conf and pointing it to two output types, I can only see data to [httpout] https://hecendpoint:8088 and data is not going to another indexer which is of [tcpout] indexerip:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@rasikmhetre wrote:I need help in sending data to two output types, [tcpout] and [httpout].
Is this possible? Because when I am using outputs.conf and pointing it to two output types, I can only see data to [httpout] https://hecendpoint:8088 and data is not going to another indexer which is of [tcpout] indexerip:9997
No, you can not use [httpout] in tandem with either [tcpout] or [syslog]. The following text states this is true for UFs and light forwarders. It also states httpout is only supported on UFs but it works on HFs as well. I've tested with both httpout and tcpout but httpout will take precedence every-time.
https://docs.splunk.com/Documentation/Forwarder/9.0.3/Forwarder/Configureforwardingwithoutputs.conf
Configure the universal forwarder to send data over hyper text transfer protocol (HTTP) between Splunk platform instances when you are unable to open network traffic to use the Splunk to Splunk (S2S) service. A Splunk universal forwarder instance can perform either httpout or tcpout, but not both at the same time. There is currently no support to send ACKs to the client transaction.
To configure a universal forwarder to send data over HTTP, add an httpout stanza to the outputs.conf file on your universal forwarder.It also states that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rasikmhetre,
yes, it's possible, you can see how at https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Routeandfilterdatad.
In few words, you have to configure in the outputs.conf of your target both the destinations and all the logs will be sent to both the destinations.
If you want, you can also be selective in the logs choose.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply, I did find this document and implemented it in the same way but i am not able get any data on the indexer which is the [tcpout] block in outputs.conf, I am able to get the data on my HEC which is my [httpout] in outputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gcusello
[tcpout]
server = indexerip:9997
disabled = false
[httpout:target2]
httpEventCollectorToken = <hec token>
uri = http://hecip:8088
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rasikmhetre,
configuration seems to be correct, are you sure that there isn't any other block (e.g. firewall)?
can you reach the Indexer via telnet from the client?
I'm sure that you enabled receiving on the Indexer.
What does it happen if you disable httpout output?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello yes I am able to reach the indexer, I am able to see Connected to idx:9997 in my log. Trying to disable httpout now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello httpout ingestion stopped now, but even tcpout is blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello @gcusello I replicated the same thing in another environment and it worked, the only thing I changed is in tcpout's default stanza:
[tcpout]
defaultGroup = splunk-index-cluster,hec-group
Now it started sending data to both destinations. Thanks and Appreciate your help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rasikmhetre,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @gcusello came here to mark the answer, and just now noticed that data has stopped coming to my HEC, and google says:
A Splunk universal forwarder instance can perform either httpout or tcpout, but not both at the same time.
😥
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rasikmhetre,
I didn't know this: I sent logs using tcpout and syslogss without problems, anyway, if your need is to send logs to a third party and to a Splunk Indexer, you could try from an Indexer or (if present) an Heavy Forwarder.
Ciao.
Giuseppe
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
