Getting Data In

Has anyone successfully configured _HTTPOUT_ROUTING in outputs.conf?

Contributor

hi all,

i read about the _HTTPOUT_ROUTING in outputs.conf at https://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad . Unfortunately, I didn't find anything in the specfiles or any further examples...

Has anyone configured this? Or can anyone give any advice?

Best regards,

Andreas

Ultra Champion

_HTTPOUT_ROUTING is not valid and has since been removed from the documentation. Thanks for calling it out!

0 Karma

SplunkTrust
SplunkTrust
  1. what is your use case for using HTTP vs just letting Splunk do its thing? it might to give an answer if we understand the problem and the architecture
  2. do you have an config files you've tried but aren't work? can you post them?
  3. "You can configure routing only on a heavy forwarder" basically, this is a full Splunk Enterprise installation, you just dont use all the features (usually the web interface for search) and forward data to another installation/indexer. there's a lot of features i've found out aren't supported on the universal forwarders by banging my head against a wall until going back to the docs for the 400th time and then finding that one line that says...nope, not on a universal forwarder
  4. " transforms_stanza_name must be unique" this is also a head-banger...unique means not to that config file but to your entire deployment
  5. outputs.conf gets configured as normal
0 Karma

SplunkTrust
SplunkTrust

Do you mean _TCP_ROUTING? There isn’t an _HTTP_ROUTING that I can find in outputs.conf or inputs.conf documentation, and I can’t find it at the link you gave.

If so, _TCP_ROUTING tells your inputs which stanza in outputs.conf to use. You can specify it per input or at a global level. See inputs.conf documentation for more details.

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
  The tcpout group names are defined in outputs.conf with
  [tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
  outputs.conf.
* To forward data to all tcpout group names that have been defined in
  outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
  set to either "*" or a specific splunktcp target group.
0 Karma

Splunk Employee
Splunk Employee

hey @schose,

Did you get a chance to consider @jkat54 's question? If so, please respond, as it will enable users to better solve your problem.

Thanks for posting!

0 Karma

Contributor

Hi,

i really meant _HTTPOUT_ROUTING .. it would be awsome to have such a functionality as it could give you much more flexibility as _TCPOUT and _SYSLOG_ROUTING.

I would love to see this and hope is not a documentation failure.

0 Karma

Path Finder

As far as I'm aware, this does not exist. If you're looking to route data from the ingestion pipeline to third party systems, this is a use case we support in Cribl (https://www.cribl.io).

0 Karma

Contributor

exactly, i want to router data to 3rd party systems.. cribl.io looks really interessting to me. I guess we should talk at .conf2018!

0 Karma

SplunkTrust
SplunkTrust

Hi @jkat54,

_HTTPOUT_ROUTING mentioned in documentation, DEST_KEY should be set to _TCP_ROUTING to send events via TCP. It can also be set to _SYSLOG_ROUTING or _HTTPOUT_ROUTING for other output processors. but I am not able to find anything in outputs.conf and transforms.conf.

Looks like documentation error.

0 Karma

SplunkTrust
SplunkTrust

I see that but I don’t know he answer. Converting to comment.

0 Karma