Getting Data In

Can I configure defaultGroup when remotely deploying a *nix universal forwarder with a static configuration?

will_paxata
Explorer

I am deploying universal forwarders with a bash script that is based on the sample script in http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Remotelydeployanixdfwithastaticconfigur...

My issue is that defaultGroup is defaulted to "default-autolb-group" in splunkforwarder/etc/system/local/outputs.conf.

I would like to default defaultGroup to "splunkcloud" rather than "default-autolb-group". Is there a Splunk-specific way to do that?

This document mentions that there are CLI commands for customizing forwarding behavior, but I cannot find any detail beyond that: http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd

I appreciate any help!

0 Karma

jayannah
Builder

The following configuration for any splunk enterprise version (not for universal forwarder)

The below configuration send the data with sourcetype=mysourcetype to the 192.169.1.1 indexer and remaining data to 192.168.1.1 indexer.

Hope this configuration helps you.

props.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[mysourcetype]
TRANSFORMS-tcpfwd = sendtotcpreceiver

transforms.conf
~~~~~~~~~~~~~~~~~~~~~~~
[sendtotcpreceiver]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=tcpreceivergroup

output.conf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[tcpout]
defaultGroup = default-group

[tcpout: default-group]
server = 192.168.1.1:9997

[tcpout:tcpreceivergroup] <-- To Splunk indexer
server=192.169.1.1:7999

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...