Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Heavy Forwarder routing to two seperate indexer cl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a HF forwarding specific sourcetypes to two different indexer clusters. However, it does not seem to be working even though I have followed routing and filter data approach. All data seems to be forwarding to all indexers. (seeing errors on the second set of indexers since the index does not exist, which is expected) I've also confirmed there isn't any conflicting inputs taking precedence in system/local.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad
Any suggestions?
outputs
[tcpout]
indexAndForward = 0
[tcpout]
defaultGroup = fis_search_peers,profile_search_peers
[tcpout:fis_search_peers]
server = idx1:9997, idx2:9997, idx3:9997, idx4:9997, idx5:9997, idx6:9997, idx7:9997, idx8:9997
autoLBFrequency=15
autoLB=true
useACK=true
forceTimebasedAutoLB = true
[tcpout:profile_search_peers]
server = f_idx1:9997, f_idx2:9997, f_idx3:9997
autoLBFrequency=15
autoLB=true
useACK=true
forceTimebasedAutoLB = true
inputs
[integrated_payables]
connection = prd_integrated_payables
disabled = 0
index = integrated_payables
index_time_mode = dbColumn
input_timestamp_column_number = 2
interval = 900
mode = rising
query = SELECT [Id] ,\
[Date] ,\
[Thread] ,\
[Level] ,\
Logger ,\
NestedContext ,\
[Message] ,\
[Exception] ,\
[HostName] ,\
[Thread_Context_ID]\
FROM "Logging"."dbo"."Log"\
WHERE Date > ?\
ORDER BY Date ASC
sourcetype = prd_int_pay_payspan_logging_db
tail_rising_column_number = 2
_TCP_ROUTING = fis_search_peers
[monitor:///ma/xpressng/logs/WAS85//MA_XpressNG_Prd_ma.log]
sourcetype = prd_mba_infinity_application
index = mba_infinity
_TCP_ROUTING = profile_search_peers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@fisuser1 ,
You have set defaultGroup to both indexer groups and as per documentation, it sends events to all specified target group
Set default target groups in outputs.conf
The defaultGroup attribute lets you set default groups for automatic forwarding at the global level, in your [tcpout] stanza.
The defaultGroup specifies one or more target groups that you define later in tcpout:<target_group> stanzas. The forwarder sends all events to the specified groups.
[tcpout]
defaultGroup= <target_group1>, <target_group2>, ...
If you do not want to forward data automatically, do not set the defaultGroup attribute.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@fisuser1 ,
You have set defaultGroup to both indexer groups and as per documentation, it sends events to all specified target group
Set default target groups in outputs.conf
The defaultGroup attribute lets you set default groups for automatic forwarding at the global level, in your [tcpout] stanza.
The defaultGroup specifies one or more target groups that you define later in tcpout:<target_group> stanzas. The forwarder sends all events to the specified groups.
[tcpout]
defaultGroup= <target_group1>, <target_group2>, ...
If you do not want to forward data automatically, do not set the defaultGroup attribute.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somehow I completely overlooked this, thank you @renjith.nair, I believe this will do exactly what I am looking for in breaking up this traffic. Thank you!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
