Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forward subset of logs via _TCP_ROUTING

sonicZ
Contributor
‎07-31-2013 12:22 PM

Using a heavy forwarder I'm having some issues using the _TCP_ROUTING examples posted in splunk docs and some splunk base answers.
I am just trying to forward a specific sourcetype log type to another forwarder, Is this correct or is there anything i am doing wrong?

in props.conf
[somesourcetype]
TRANSFORMS-log_subset = some_logs

In transforms.conf
[some_logs]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=some_logs_subset

In outputs.conf
[tcpout:some_logs_subset]
server=serverip:port
Tags (2)
Reply

Drainy
Champion
‎08-02-2013 01:28 AM

Your config looks fine to me.

Have you correctly defined the input on the other side and tested connectivity?

0 Karma
Reply

sonicZ
Contributor
‎08-06-2013 01:13 PM

Also another oddity is if i specify
[tcp://9997]
instead of splunktcp the data comes in indexed but since its still coming in cooked.

--splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 etc...

So connectivity seems fine just seems like this instance is not handling cooked "spunktcp" data correctly.

0 Karma
Reply

sonicZ
Contributor
‎08-06-2013 01:06 PM

I should also mention this is a spunk 4.3.3 instance forwarding to splunk 5.0.3

0 Karma
Reply

sonicZ
Contributor
‎08-06-2013 12:50 PM

I basically just have this on the receiving forwarder
connectivity is fine in splunkd logs from forwarder to forwarder and via port connect tests(telnet)

[splunktcp://9997]
connection_host = dns
index = iseclog_core
sourcetype = logger_cef

0 Karma
Reply

lmyrefelt
Builder
‎08-01-2013 01:47 AM

you can do it with a combination of inputs and outputs.

inputs.conf

[monitor:///some/path/to/some/files/]
_TCP_ROUTING = my_new_route
source =
sourcetype =
host =
blacklist =

outputs.conf

[tcpout]
defaultGroup = our_default_route

[tcpout:out_default_route]
server = 0.0.0.0:0000

[tcpout:our_new_route]
server = 1.1.1.1:1111

0 Karma
Reply

sonicZ
Contributor
‎08-06-2013 01:07 PM

This is a heavy forwarder receiving multiple inputs on different ports, so i am using props and transforms .conf files specified in original post.

0 Karma
Reply

lmyrefelt
Builder
‎08-02-2013 12:04 AM

what kind of forwarder are you using? Can it be that you need another kind of forwarder (ie. heavy) to what u want?

0 Karma
Reply

sonicZ
Contributor
‎08-01-2013 03:02 PM

The only problem i have is we have an input on
[splunktcp:port]

That basically has a lot of data coming in from, the sourcetype is mixed in with that data so we only want to forward data that is of that particular sourcetype, preferably not changing the inputs.conf ports

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...