All Apps and Add-ons
Highlighted

Splunk DB Connect: Is it possible to redirect a specific input to a different set of indexers?

Contributor

Can I configure Splunk DB Connect to send data to different set of indexers ONLY for a specific input in particular?

we can do that via tcp routing and selecting a different receiver groups for sure.

But is that supported in Splunk DB Connect to add _TCPROUTING instead of index?

e.g.

[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT  donut FROM HOMER_STORE   {{AND  $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE   
tail.rising.column = donut_no
disabled = 0

instead of index = doh could i add TCPROUTING = moes

outputs.conf
[tcpout:moes]
server = moetavern01:9997,moetavern02:9997,moe_tavern03:9997
autoLB = true

0 Karma
Highlighted

Re: Splunk DB Connect: Is it possible to redirect a specific input to a different set of indexers?

Esteemed Legend

I am assuming that you are running this on a Heavy Forwarder. If not DO THAT FIRST.

You should use both index and _TCP_ROUTING.
The outputs.conf file defines the physical target Indexer addresses and assigns a logical name (i.e. [tcpout:moes]).
The inputs.conf defines, to which of the logical targets the data should be sent (i.e. _TCP_ROUTING = moes).
The outputs.conf and inputs.conf files need not be in the same app. So add the following settings:

/etc/system/local/outputs.conf

[tcpout:moes]
server = moe_tavern01:9997,moe_tavern02:9997,moe_tavern03:9997 
autoLB = true

/etc/apps/MyApp/default/inputs.conf

[dbmon-tail://donutDB/cinnamonSugar]
host = springfield.co.us
index = doh
interval = 00 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = date_entered
output.timestamp.format = yyyy-MM-dd-HH.mm.ss.SSSSSS
query = SELECT  donut FROM HOMER_STORE   {{AND  $rising_column$ > ?}}
sourcetype = dbmon:kv
table = HOMER_STORE   
tail.rising.column = donut_no
disabled = 0
_TCP_ROUTING = moes
0 Karma
Highlighted

Re: Splunk DB Connect: Is it possible to redirect a specific input to a different set of indexers?

Contributor

Well thanks for the reply woodcock!

The need was later dropped & the receiver agreed to get their own DBX.. D'oh!

I havent tested this because the DBX app writes to local spool ($SPLUNKHOME/var/spool/dbmon/) and than forwards to indexers, I was NOT sure if the _TCPROUTING itself will work..

Your answer seems to suggest that the spool files will be written but the TCPROUTING will have the cooked events sent across to receivers..

As mentioned I havent had a chance to test it though ..

Have you had something similar working please?

0 Karma