We're prepping for a migration, so what I want is the exact same data going to OldServer and NewServer
Here's what I have so far:
Outputs.conf:
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
[tcpout:SplunkGroup]
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
inputs.conf:
[monitor:///var/log/mylog.log]
index = myindex
sourcetype = mysourcetype
_TCP_ROUTING = SplunkGroup
When I set it up like this, I get no data, so obviously something is wrong. Splunkd.log isn't showing anything outside the norm
Anyone have ideas?
Try something like this for your outputs.conf
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
See here for more information http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Configureforwarderswithoutputs.confd#Da...
Try something like this for your outputs.conf
[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
defaultGroup=indexer1,indexer2
[tcpout:indexer1]
server = OldServerIP:8001
[tcpout:indexer2]
server = NewServerIP:8001
See here for more information http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Configureforwarderswithoutputs.confd#Da...
Do I need to refer to them at all in inputs.conf, or just leave that totally off?
The way that you have it laid out it looks like it's just going to default to the cloning, so I should just be able to declare each monitored log as such:
[monitor:///var/log/mylog.log]
index = myindex
sourcetype = mysourcetype
That is correct. You don't need anything in inputs.conf if all the data is supposed to go to the defaultGroup.
The input.conf entry is required for selective routing (not relevant here but just want to bring it up).
Interesting
Your declaration format works just fine, however, if I don't have my NewServer reachable, OldServer won't work either
Odd. But, I figure once I work the ACLs out, everything should work as necessary.