Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you configure the Universal Forwarder on NIX (syslog) to send some logs to the indexer and others to a Heavy Forwarder?

HackerHurricane
Engager
‎09-22-2016 08:45 AM

We have a syslog server where there are many logs going to the indexer.

Can we configure the Linux Universal Forwarder to send some files to the indexer and others to the Heavy Forwarder to be post processed, thinned out is the goal?

How best to do this?

Two Univ Forwarder instances?

Or can a config deal with this?

Thanks,

MG

0 Karma
Reply

jtacy
Builder
‎09-22-2016 04:00 PM

What you want to do is definitely possible but I'm curious what other options you've looked at since this will add a little bit of complexity to your environment. I would probably consider doing some filtering/routing on the syslog server itself but if that wasn't an option I'd try filtering on the indexer. I'm concerned that you might not get the expected benefits unless you're going to be able to filter a large percentage of events at the heavy forwarder. It may depend on the event size, number of events per second, and also what specific problem you're trying to work around by filtering the events.

If you do want to go ahead and split the traffic, on a single UF you can create tcpout stanzas for your indexer and heavy forwarder, then when you need to route to your heavy forwarder you can use the _TCP_ROUTING option. It would look something like this (tested on UF 6.4.0 on Linux x64):

outputs.conf

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexerhost:port

[tcpout:heavyforwarder]
server = heavyforwarderhost:port

inputs.conf

[monitor:///opt/splunk/app/good.txt]
index = main
sourcetype = good

[monitor:///opt/splunk/app/noisy.txt]
index = main
sourcetype = noisy
_TCP_ROUTING = heavyforwarder

# Route internal events to the indexer only to avoid duplicates.
# UF sends to all configured tcpout groups on these inputs by default.
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = indexer

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
_TCP_ROUTING = indexer

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = indexer

The last set of inputs isn't required but you'll end up with some duplicate events in _internal if you don't make the change; you'll be overriding some default UF behavior where _TCP_ROUTING = * on certain inputs so keep in mind that the net effect of this could vary by UF version.

Note that because defaultGroup = indexer is set in outputs.conf, you only need to set _TCP_ROUTING = heavyforwarder when you need to override the default and won't have to change the rest of your inputs.

Relevant docs: http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...