All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

_TCP_ROUTING for Heavy Forwarder

sudosplunk
Motivator
‎10-19-2018 07:32 AM

Hi Splunkers,

I've a situation where _TCP_ROUTING setting in inputs.conf is not being honored by splunk. Here is my architecture and related config files.

HF --> Indexer cluster

On HF, $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint/local/opseclea_inputs.conf:

[FirewallEvents]
_TCP_ROUTING = fw_cluster

On HF, $SPLUNK_HOME/etc/apps/route_outputs/local/outpus.conf:

[tcpout]
indexAndForward = false
defaultGroup = main_cluster
autoLBFrequency = 15

[tcpout:main_cluster]
server = mainIDX1:9997,mainIDX2:9997,mainIDX3:9997,mainIDX4:9997
useACK = true
maxQueueSize = 7MB

[tcpout:fw_cluster]
server = fwIDX1:9997,fwIDX2:9997,fwIDX3:9997,fwIDX4:9997
useACK = true
maxQueueSize = 7MB

Events are still being routed to main_cluster instead of fw_cluster. This kind of routing is working for other data sources coming through UFs.

I've already reviewed metrics.log and splunkd.log and validated HF is making TCPInput connections to indexers (fw_cluster).

Any advise on troubleshooting is appreciated.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎05-01-2024 03:20 AM

@sudosplunk the setting is expected to be in inputs.conf ( not in custom inputs.conf).
All modinputs honor meta setting starting 6.4
https://community.splunk.com/t5/Getting-Data-In/UF-Route-inputs-to-specific-indexers-based-on-the-da...

0 Karma
Reply

schose
Builder
‎11-22-2018 07:08 AM

Hi,

Routing with pros.conf and transforms.conf instead of inputs.conf should do the job:

props:

[opsec]

TRANSFORMS-route=routefw_cluster

transforms:

[routefw_cluster]

REGEX=.+
DEST_KEY=_TCP_ROUTING
FORMAT=fw_cluster

Best regards,

Andreas

0 Karma
Reply

ddrillic
Ultra Champion
‎10-21-2018 02:25 PM

What is _TCP_ROUTING for this specific input when running ./splunk cmd btool inputs list --debug?

0 Karma
Reply

sudosplunk
Motivator
‎10-21-2018 02:32 PM

Hi @ddrillic, splunk is able to recognize the setting from input.conf of only Splunk_TA_box but not Splunk_TA_checkpoint.

[splunk@HF ~]$ /splunk/bin/splunk btool inputs list --debug | grep '_TCP_ROUTING'
/splunk/etc/apps/Splunk_TA_box/local/inputs.conf                   _TCP_ROUTING = fw_cluster
/splunk/etc/system/default/inputs.conf                             _TCP_ROUTING = *
0 Karma
Reply

ddrillic
Ultra Champion
‎10-21-2018 05:55 PM

Anything that ./splunk cmd btool check reports? maybe a syntax error...

Reply

sudosplunk
Motivator
‎10-25-2018 06:13 AM

Hi @ddrillic ,

Below is the output. Based on this output and @coccyx answer, I believe that _TCP_ROUTING setting doesn't work for modular inputs. 

[splunk@HF local]$ /splunk/bin/splunk cmd btool check
                Invalid key in stanza [FirewallEvents] in /splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf, line 2: _TCP_ROUTING  (value:  fw_cluster).
                Invalid key in stanza [FirewallAudit] in /splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf, line 12: _TCP_ROUTING  (value:  fw_cluster).
[splunk@pespl027 local]$
0 Karma
Reply

FrankVl
Ultra Champion
‎10-19-2018 07:47 AM

It's been a while since I've worked with the opsec lea addon, but doesn't that generate multiple input stanzas, one for each log collection you define in the opsec add-on GUI? So shouldn't you be adding that _TCP_routing setting in each of those generated input.conf sections?

0 Karma
Reply

sudosplunk
Motivator
‎10-19-2018 09:06 AM

Yes it does. I have 2 stanzas one for FirewallEvents and one for FirewallAudit. I added _TCP_ROUTING under both the stanzas in inputs.conf but did not specify that in the question.

Another interesting thing: We are using Splunk_TA_box on HF and these events are also not routed to fw_cluster even after explicitly defining _TCP_ROUTING under stanza.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...