So I see data coming in:
04-13-2021 17:32:25.470 -0400 INFO StatusMgr - destPort=9997, eventType=connect_done, group=tcpin_connections, sourceHost=*.*.153.70, sourceIp=*.*.153.70, sourcePort=39820, statusee=TcpInputProcessor
But I can't find where this data is going. I have the source info and have searched all indexes on the above IPs as well as keywords/fields from the source but can't find it. Where does it go next? How can I tell if the indexer is generating errors or rejecting it?
This data is being sent directly to my indexer cluster from a remote CRIBL source. The data is text (comma delimited).
Where does the data go next?
Also, if I want to configure the IP do I configure a source in the cluster master under master apps and push it out:
/master-apps/cribl/local/inputs.conf
[tcp://*.*.153.70:9997]
index=cribl
or do I have to do this in /system/local/inputs.conf on each indexer?
or do I have to forward to a HF first.
Thanks!
