Can I configure Splunk DB Connect to send data to different set of indexers ONLY for a specific input in particular?
we can do that via tcp routing and selecting a different receiver groups for sure.
But is that supported in Splunk DB Connect to add _TCPROUTING instead of index?
e.g.
[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT donut FROM HOMER_STORE {{AND $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE
tail.rising.column = donut_no
disabled = 0
instead of index = doh could i add _TCP_ROUTING = moes
outputs.conf
[tcpout:moes]
server = moe_tavern01:9997,moe_tavern02:9997,moe_tavern03:9997
autoLB = true
its possible with props.conf, transforms.conf and outputs.conf
props.conf
[yoursourcetype_set_in_db_inputs]
TRANSFORMS-routing=route_to_t2
transforms.conf
[route_to_t2]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=t2_indexers
outputs.conf
[tcpout:t2_indexers]
server = 10.x.x.x:9997
I am assuming that you are running this on a Heavy Forwarder. If not DO THAT FIRST.
You should use both index
and _TCP_ROUTING
.
The outputs.conf
file defines the physical target Indexer addresses and assigns a logical name (i.e. [tcpout:moes]
).
The inputs.conf
defines, to which of the logical targets the data should be sent (i.e. _TCP_ROUTING = moes
).
The outputs.conf
and inputs.conf
files need not be in the same app. So add the following settings:
/etc/system/local/outputs.conf
[tcpout:moes]
server = moe_tavern01:9997,moe_tavern02:9997,moe_tavern03:9997
autoLB = true
/etc/apps/MyApp/default/inputs.conf
[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT donut FROM HOMER_STORE {{AND $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE
tail.rising.column = donut_no
disabled = 0
_TCP_ROUTING = moes
using _TCP_ROUTING in db_inputs.conf will not work as splunk_app_db_connect uses HEC(HTTP Event Collector).
Well thanks for the reply woodcock!
The need was later dropped & the receiver agreed to get their own DBX.. D'oh!
I havent tested this because the DBX app writes to local spool ($SPLUNK_HOME/var/spool/dbmon/) and than forwards to indexers, I was NOT sure if the _TCP_ROUTING itself will work..
Your answer seems to suggest that the spool files will be written but the _TCP_ROUTING will have the cooked events sent across to receivers..
As mentioned I havent had a chance to test it though ..
Have you had something similar working please?