Getting Data In

Forwarding to multiple indexes

manuarora
Explorer

Hi,

I have following inputs.conf

[script://$SPLUNK_HOME/etc/apps/appa/bin/script1.sh]
index = index1
sourcetype = script1_detail
interval = 86400
TCP_ROUTING = splunk_02

[script://$SPLUNK_HOME/etc/apps/appa/bin/script2.sh]
index = index1
sourcetype = script2_detail
interval = 86400
TCP_ROUTING = splunk_02

And following outputs.conf

[tcpout]
defaultGroup = default-clone-group-splunk-01_9997
disabled = false
isLoadBalanced = False
maxQueueSize = 1000

[tcpout:default-clone-group-splunk-ux_9997]
disabled = false
server = splunk-ux01.domainname.com:9997

[tcpout:splunk_02]
disabled = false
server = splunk-ux02.domainname.com:9997

But my events are not getting indexed can you please help.

Tags (2)
0 Karma

suhprano
Path Finder

Check the logs, see if they're establishing connection to the receivers.

0 Karma

manuarora
Explorer

It was typo in posting question otherwise it is fine in configuration. Forwarder is not working for this particular application otherwise it works fine.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It would be very helpful if you very carefully checked the file posted and make sure it is exactly the same as you actual configuration, and edit it accordingly if it is not.

0 Karma

Simeon
Splunk Employee
Splunk Employee

In your output, you have "splunk_ux02" instead of the "splunk_02" which is in the inputs.conf. That might possibly be the problem.

Also - does forwarding work without this?

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...