I currently have some Windows Servers with the Universal Forwarder installed that are sending data to our indexer. I am now in a situation where I need to have the forwarder also send the data to a third party server. According to the documentation, the following in outputs.conf should send all data;
server = 10.1.1.2:1517
sendCookedData = false
However, I have the third party server getting data but only is receiving "INFO" type logs which appear to be transaction type information from the splunk forwarder program itself and not the actual log data (windows events iis etc.) that I am sending into splunk that I need.
Am I missing something or will the universal forwarder not send that data?
We do the following -
outputs.conf we specify multiple
tcpout stanzas -
[tcpout:xxxxxx] .... [tcpout:yyyyyy] ....
If you don't specify anything in
inputs.conf all data will be streamed to both directions (or three if you choose to).
Do you have a props.conf and transforms.conf configured to tell the forwarder what data to send? See: http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Forwarddatatothird-partysystemsd
[<sourcetype/data to send>] TRANSFORMS-fastlane = fastlane
[fastlane] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=fastlane
It might vary a bit for your configuration but the linked docs walk through it pretty well.
I saw that in the documentation but it said it was for a heavy forwarder, I am using a Universal Forwarder. I will give it a try and see, it would allow me to separate better than the way I was doing it with the default group. Thansk
Yep, you're right. I believe with a universal forwarder you can forward everything using what you just posted. Using a heavy forwarder you can selectively forward data to the third-party system.
Where you have added the below, Is the same in outputs.conf located in local directory? I am really a newbie in splunk, would like to know did you updated below as is.
defaultGroup = default-autolb-group*, fastlane <--- Added*