All Apps and Add-ons

Splunk DB Connect: Is it possible to redirect a specific input to a different set of indexers?

stanwin
Contributor

Can I configure Splunk DB Connect to send data to different set of indexers ONLY for a specific input in particular?

we can do that via tcp routing and selecting a different receiver groups for sure.

But is that supported in Splunk DB Connect to add _TCPROUTING instead of index?

e.g.

[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT  donut FROM HOMER_STORE   {{AND  $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE   
tail.rising.column = donut_no
disabled = 0

instead of index = doh could i add _TCP_ROUTING = moes

outputs.conf
[tcpout:moes]
server = moe_tavern01:9997,moe_tavern02:9997,moe_tavern03:9997
autoLB = true

0 Karma

thambisetty
SplunkTrust
SplunkTrust

its possible with props.conf, transforms.conf and outputs.conf 

props.conf

 

[yoursourcetype_set_in_db_inputs]
TRANSFORMS-routing=route_to_t2

 

transforms.conf

 

[route_to_t2]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=t2_indexers

 

outputs.conf

[tcpout:t2_indexers]
server = 10.x.x.x:9997
————————————
If this helps, give a like below.

woodcock
Esteemed Legend

I am assuming that you are running this on a Heavy Forwarder. If not DO THAT FIRST.

You should use both index and _TCP_ROUTING.
The outputs.conf file defines the physical target Indexer addresses and assigns a logical name (i.e. [tcpout:moes]).
The inputs.conf defines, to which of the logical targets the data should be sent (i.e. _TCP_ROUTING = moes).
The outputs.conf and inputs.conf files need not be in the same app. So add the following settings:

/etc/system/local/outputs.conf

[tcpout:moes]
server = moe_tavern01:9997,moe_tavern02:9997,moe_tavern03:9997 
autoLB = true

/etc/apps/MyApp/default/inputs.conf

[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT  donut FROM HOMER_STORE   {{AND  $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE   
tail.rising.column = donut_no
disabled = 0
_TCP_ROUTING = moes
0 Karma

thambisetty
SplunkTrust
SplunkTrust

@woodcock 

using _TCP_ROUTING in db_inputs.conf will not work as splunk_app_db_connect uses HEC(HTTP Event Collector).

————————————
If this helps, give a like below.
0 Karma

stanwin
Contributor

Well thanks for the reply woodcock!

The need was later dropped & the receiver agreed to get their own DBX.. D'oh!

I havent tested this because the DBX app writes to local spool ($SPLUNK_HOME/var/spool/dbmon/) and than forwards to indexers, I was NOT sure if the _TCP_ROUTING itself will work..

Your answer seems to suggest that the spool files will be written but the _TCP_ROUTING will have the cooked events sent across to receivers..

As mentioned I havent had a chance to test it though ..

Have you had something similar working please?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...