All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sending splunk db connect data to another indexing cluster

sbattista09
Contributor
‎05-24-2018 05:23 AM

I was hoping you can change just specific inputs in DB connect to send to a different indexing cluster. I do not see a outputs.conf in the db connect app files and i am not sure where to place something like a "_TCP_ROUTING = blah". has any one else accomplished this before?

This is how i have been doing it for syslogs-
outputs.conf in my HWF for syslogs:
[tcpout:idxbankA]
server = splunkidx01.bla.org:9993, splunkidx02.bla.org:9993, splunkidx03.bla.org:9993, splunkidx04.blah.org:9993
autoLBFrequency = 7
forceTimebasedAutoLB = true

inputs.conf
[udp://100.10.10.10:514]
index = blah
sourcetype = blah_blah_blah
connection_host = ip
disabled = 0
_TCP_ROUTING = idxbankA

Then they just send to a intermediate forwarder and get passed to different indexers in the _TCP_ROUTING = idxbankA. It works well so far.

For the UF's i just changed the outputs.conf via a deployment app to send to: splunkidx01.bla.org:9993, splunkidx02.bla.org:9993, splunkidx03.bla.org:9993, splunkidx04.blah.org:9993.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...