Solved: Need help resolving why _TCP_ROUTING is not sendin...

john_glasscock · ‎08-31-2016

I have been trying to figure this out for a few days, and I am not getting anywhere.

I have specific data coming in on one server/directory that has a UF installed on it that I want to send to a specific Indexer/Index. Windows logs go to the index cluster, and the PII data needs to go to a stand alone indexer.

So, here is what I have currently,

**** OUTPUTS.CONF ****

[tcpout]
defaultGroup = ihf_cluster

[tcpout:ihf_cluster]
autoLB=true
server = 10.10.10.1:9997, 10.10.10.2:9997,10.10.10.3:9997,10.10.10.4:9997

[tcpout:Fraud]
server = 10.10.10.100:9997

**** INPUTS.CONF ****

[monitor:/E:\fraudlogs]
disabled = false
sourcetype = PII
index =  PII
_TCP_ROUTING = Fraud

john_glasscock · ‎09-01-2016

Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks

View solution in original post

john_glasscock · ‎09-01-2016

Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks

somesoni2 · ‎08-31-2016

The monitoring stanza is missing one slash /. Is it a typo OR actual entry that you've?
Please ensure that you configurations matches the example given in below link and you've restarted Splunk UF after making these changes.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!