Getting Data In

Configuring outputs.conf by location

mocallaghan
Engager

I have two datacenters in two locations that will each have 2 Search Heads and 6 Indexers in them. I'd like to configure the outputs.conf file for an app with data in City A only going to indexers in City A and data in City B only going to indexers in City B. I imagine that I'll need to edit the serverclass.conf file to add a unique server class for the indexers in City A and a server class for the indexers in City B. After that, how should I set up the outputs.conf file for the app? An example of the outputs.conf is:

[tcpout]
defaultGroup = express_cityA

[tcpout:express_cityA]
server = cityAserver01.domain.local:9997,cityAserver02.domain.local:9997
autoLB = true

[tcpout]
defaultGroup = express_cityB

[tcpout:express_cityB]
server = cityBserver01.domain.local:9997,cityBserver02.domain.local:9997
autoLB = true

I'm looking for some confirmation that this is correct.

Thanks in advance!

Tags (1)
0 Karma

chris
Motivator

You want to deploy outputs.conf to you forwarders using the deployment server right? I would create two apps one with an outputs.conf for cityA and one for cityB. If you can distinguish forwarders from the different cities by the ip or the dns name then use that for the whitelist otherwise you will have to set the clientName in deploymentclient.conf
The following should work:
serverclass.conf:

[global]

[serverClass:cityA]
whitelist.0=*cityA*
[serverClass:cityA:app:cityAoutputs]

[serverClass:cityB]
whitelist.0=*cityB*
[serverClass:cityB:app:cityBoutputs]

In $SPLUNK_HOME/etc/deployment-apps/cityAoutputs/local/outputs.conf

[tcpout]
defaultGroup = express_cityA

[tcpout:express_cityA]
server = cityAserver01.domain.local:9997,cityAserver02.domain.local:9997
autoLB = true

And in $SPLUNK_HOME/etc/deployment-apps/cityBoutputs/local/outputs.conf

[tcpout]
defaultGroup = express_cityB

[tcpout:express_cityB]
server = cityBserver01.domain.local:9997,cityBserver02.domain.local:9997
autoLB = true
0 Karma

jonuwz
Influencer

Ah. I probably misunderstood the question. I thought setting defaultgroup in etc/app/local/outputs.conf would be specific to that app, and the defaultgroup set in system/local would be used elsewhere.

0 Karma

chris
Motivator

Hm, correct me if I am wrong, but defining a defaultgroup, if it is just done once, should in this case apply for the entire forwarder that receives the app through the deployment server. The defaultgroup is then implicitly applied to all inputs. So a forwarder in City A will forward all its inputs to the indexers in City A. You can check the current config with "/opt/splunkforwarder/bin/splunk btool outputs list" but you probably already knew that.

0 Karma

jonuwz
Influencer

Does setting a defaultgroup in an app override the routing for that app ?
I normally have to set _TCP_ROUTING in inputs.conf for the apps inputs

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...