Based on the docs ( http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd#Define_ty... ), I've created this outputs.conf:
me@server:/opt/splunkforwarder> cat etc/apps/dc_global_uf/default/outputs.conf [tcpout] defaultGroup = * indexAndForward = false [tcpout:group1] compressed = false server = work:9997 useACK = true
However, that seems to not work and gives this error:
05-06-2011 23:06:11.174 -0400 ERROR TcpOutputProc - the 'defaultGroup' property contains an invalid group name - * - skipping
Did I read/do something incorrectly, or should the wildcard work?
defaultGroup can not be a wildcard. It must refer to a specfic group or list of groups, in your example,
defaultGroup = group1
defaultGroup = <target_group>, <target_group>, ... * Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas. * The forwarder sends all data to the specified groups. * Can be set to a name that matches no groups to disable automatic forwarding. For example, "defaultGroup=do_not_forward". * Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier. * This attribute is required. The behavior of forwarding without this value is inconsistent across some versions.