Getting Data In

Configuring outputs.conf by location

mocallaghan
Engager

I have two datacenters in two locations that will each have 2 Search Heads and 6 Indexers in them. I'd like to configure the outputs.conf file for an app with data in City A only going to indexers in City A and data in City B only going to indexers in City B. I imagine that I'll need to edit the serverclass.conf file to add a unique server class for the indexers in City A and a server class for the indexers in City B. After that, how should I set up the outputs.conf file for the app? An example of the outputs.conf is:

[tcpout]
defaultGroup = express_cityA

[tcpout:express_cityA]
server = cityAserver01.domain.local:9997,cityAserver02.domain.local:9997
autoLB = true

[tcpout]
defaultGroup = express_cityB

[tcpout:express_cityB]
server = cityBserver01.domain.local:9997,cityBserver02.domain.local:9997
autoLB = true

I'm looking for some confirmation that this is correct.

Thanks in advance!

Tags (1)
0 Karma

chris
Motivator

You want to deploy outputs.conf to you forwarders using the deployment server right? I would create two apps one with an outputs.conf for cityA and one for cityB. If you can distinguish forwarders from the different cities by the ip or the dns name then use that for the whitelist otherwise you will have to set the clientName in deploymentclient.conf
The following should work:
serverclass.conf:

[global]

[serverClass:cityA]
whitelist.0=*cityA*
[serverClass:cityA:app:cityAoutputs]

[serverClass:cityB]
whitelist.0=*cityB*
[serverClass:cityB:app:cityBoutputs]

In $SPLUNK_HOME/etc/deployment-apps/cityAoutputs/local/outputs.conf

[tcpout]
defaultGroup = express_cityA

[tcpout:express_cityA]
server = cityAserver01.domain.local:9997,cityAserver02.domain.local:9997
autoLB = true

And in $SPLUNK_HOME/etc/deployment-apps/cityBoutputs/local/outputs.conf

[tcpout]
defaultGroup = express_cityB

[tcpout:express_cityB]
server = cityBserver01.domain.local:9997,cityBserver02.domain.local:9997
autoLB = true
0 Karma

jonuwz
Influencer

Ah. I probably misunderstood the question. I thought setting defaultgroup in etc/app/local/outputs.conf would be specific to that app, and the defaultgroup set in system/local would be used elsewhere.

0 Karma

chris
Motivator

Hm, correct me if I am wrong, but defining a defaultgroup, if it is just done once, should in this case apply for the entire forwarder that receives the app through the deployment server. The defaultgroup is then implicitly applied to all inputs. So a forwarder in City A will forward all its inputs to the indexers in City A. You can check the current config with "/opt/splunkforwarder/bin/splunk btool outputs list" but you probably already knew that.

0 Karma

jonuwz
Influencer

Does setting a defaultgroup in an app override the routing for that app ?
I normally have to set _TCP_ROUTING in inputs.conf for the apps inputs

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...