Getting Data In

Can I configure defaultGroup when remotely deploying a *nix universal forwarder with a static configuration?

will_paxata
Explorer

I am deploying universal forwarders with a bash script that is based on the sample script in http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Remotelydeployanixdfwithastaticconfigur...

My issue is that defaultGroup is defaulted to "default-autolb-group" in splunkforwarder/etc/system/local/outputs.conf.

I would like to default defaultGroup to "splunkcloud" rather than "default-autolb-group". Is there a Splunk-specific way to do that?

This document mentions that there are CLI commands for customizing forwarding behavior, but I cannot find any detail beyond that: http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd

I appreciate any help!

0 Karma

jayannah
Builder

The following configuration for any splunk enterprise version (not for universal forwarder)

The below configuration send the data with sourcetype=mysourcetype to the 192.169.1.1 indexer and remaining data to 192.168.1.1 indexer.

Hope this configuration helps you.

props.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[mysourcetype]
TRANSFORMS-tcpfwd = sendtotcpreceiver

transforms.conf
~~~~~~~~~~~~~~~~~~~~~~~
[sendtotcpreceiver]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=tcpreceivergroup

output.conf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[tcpout]
defaultGroup = default-group

[tcpout: default-group]
server = 192.168.1.1:9997

[tcpout:tcpreceivergroup] <-- To Splunk indexer
server=192.169.1.1:7999

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...