How can I redirect mcollect to a different set of ...

daniel333 · ‎05-06-2019

All,

I have a |mcollect job that runs every night. I'd like the the results to goto a different indexer rather than the default on my search heads.

How do I specify the metric sourcetype in a props+transform to redirect it?

MuS · ‎05-06-2019

Hi daniel333,

you need to add a sourcetype to the mcollect that does exists anywhere else, and use this in your props.conf & transforms.conf to redirect the collected events.

The following is UNTESTED and might as well not work - but should give you an idea how it can be approached.

First configure props.conf on the parsing layer that receives the events from your search head (eq HWF or IDX):

props.conf

[MyMcollectSourceType]
TRANSFORMS-001-SendMyMcollectSourceTypeToAnotherIndexer = SendMyMcollectSourceTypeToAnotherIndexer

next you need a transforms.conf to tell Splunk what to do with the events:

transforms.conf

[SendMyMcollectSourceTypeToAnotherIndexer]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = MyMcollectSourceTypeToAnotherIndexer

last but not least you need to configure an outputs.conf to tell Splunk where to send the events:

outputs.conf

[tcpout: MyMcollectSourceTypeToAnotherIndexer]
server = TheOtherServerDNSName:9997

Restart this Splunk instance, and run on your search head the mcollect search:

 ... | mcollect index=<string> sourcetype=MyMcollectSourceType

This should in theory work, but as mentioned previously this is untested so might as well not work ¯\_(ツ)_/¯

Anyway, hope this helps to get you started ...

cheers, MuS

MuS · ‎05-06-2019

and add to the outputs.conf the following stanza/option:

[tcpout]
indexAndForward = true

How can I redirect mcollect to a different set of indexers?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life