Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we send data to 2 different groups of indexers?

splunker9999
Path Finder
‎12-14-2016 12:16 PM

Hi

We are looking to forward same data to different indexers and we did the below steps for this.

We have 2 apps for outputs and each has one outputs.conf

1) output_ app1 

     outputs.conf   
     [tcpout:indexers_prod]
    server=server.corp:9197

2) output_app2 

     AWS_outputs.conf
     [tcpout:AWS_indexers_prod]
    server=server.corp:9197

We now created a new server class (data_inputs).
Created -> Serverclass -> data_inputs

Added above apps (app1 &app2 to server class), and also added a 3rd app (inputs app)

3) Created 3rd app (inputs app) and added below lines to inputs.conf

inputs.conf:

    [monitor:///logs/svc_cml_*/jobs/SCDB2/.../*.log]
    _TCP_ROUTING=indexers_prod;AWS_indexers_prod
    disabled=false
    index=sc_preprod

4) added Clients to serverclass
5) deployed these apps to clients.

We did above steps, but we are seeing data only on one of the groups of indexers.

Can someone help if there is any thing we missed here?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2016 01:24 PM

First, the only name for outputs.conf is outputs.conf. AWS_outputs.conf will not be read or recognized. So I hope that you just gave that name so that we could distinguish the two files in this question. If not, you will need to make both names outputs.conf

Second, if you want, you can combine both stanzas into the same outputs.conf:

[tcpout]
defaultGroup = indexers_prod

[tcpout:indexers_prod]
server=server1.corp:9197

[tcpout:AWS_indexers_prod]
server=server2.corp:9197

Notice that I set indexers_prod as the default output stanza. Any input that does not specify a routing will go to indexers_prod
Also, I made the different server entries correspond to different servers - otherwise, I don't get the point. But you can still have two separate outputs.conf files if you prefer.

Third, whether you combine the outputs.conf or not, your inputs.conf should look like this (commas, not semicolons)

[monitor:///logs/svc_cml_*/jobs/SCDB2/.../*.log]
_TCP_ROUTING=indexers_prod,AWS_indexers_prod

I think this will work.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2016 01:24 PM

First, the only name for outputs.conf is outputs.conf. AWS_outputs.conf will not be read or recognized. So I hope that you just gave that name so that we could distinguish the two files in this question. If not, you will need to make both names outputs.conf

Second, if you want, you can combine both stanzas into the same outputs.conf:

[tcpout]
defaultGroup = indexers_prod

[tcpout:indexers_prod]
server=server1.corp:9197

[tcpout:AWS_indexers_prod]
server=server2.corp:9197

Notice that I set indexers_prod as the default output stanza. Any input that does not specify a routing will go to indexers_prod
Also, I made the different server entries correspond to different servers - otherwise, I don't get the point. But you can still have two separate outputs.conf files if you prefer.

Third, whether you combine the outputs.conf or not, your inputs.conf should look like this (commas, not semicolons)

[monitor:///logs/svc_cml_*/jobs/SCDB2/.../*.log]
_TCP_ROUTING=indexers_prod,AWS_indexers_prod

I think this will work.

Reply
Solved! Jump to solution

splunker9999
Path Finder
‎12-14-2016 03:05 PM

Thank you,

Changed semicolon to comma and logs ingested to both places like a champ 🙂

[monitor:///logs/svc_cml_*/jobs/SCDB2/.../*.log]
 _TCP_ROUTING=indexers_prod,AWS_indexers_prod
Reply
Solved! Jump to solution

iamkilarunaresh
Explorer
‎04-12-2018 01:40 PM

How can we put the index names here?

0 Karma
Reply
Solved! Jump to solution

bzam
Explorer
‎06-07-2018 07:02 AM

Wouldn't you just specify the index name like this:

[monitor:///logs/svc_cml_*/jobs/SCDB2/.../*.log]
 _TCP_ROUTING=indexers_prod,AWS_indexers_prod
index=foo
0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...