Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I redirect data to a different set of indexers via my heavy forwarder?

daniel333
Builder
‎07-25-2016 07:12 PM

All,

I want to set aside a handful of indexers to store important data. I have a heavy forwarder setup. So should be an option in transforms.conf to redirect specific sources.. But for the life of me skimming the docs isn't working.

thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-25-2016 07:45 PM

You can define a separate group of indexers in your outputs.conf and target that group for each source you wish in the inputs.conf by setting below property



_TCP_ROUTING = tcpout_group_name

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎07-25-2016 07:45 PM

You can define a separate group of indexers in your outputs.conf and target that group for each source you wish in the inputs.conf by setting below property



_TCP_ROUTING = tcpout_group_name

0 Karma
Reply
Solved! Jump to solution

daniel333
Builder
‎07-25-2016 10:09 PM

Hey,

So what I didn't get is you still need an outputs.conf for this. Here is my final product. 

Placed this into one app - 

# props.conf
[host::*myserver*]
TRANSFORMS-routing=pciRouting

# transforms.conf
[pciRouting]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=pci-group

# outputs.conf
[tcpout]

[tcpout:pci-group]
server = myindexer.mydomain.com:9997
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎07-26-2016 07:05 AM

You do not need any transforms. You Just need changes in outputs.conf and inputs.conf. Examples below

outputs.conf

[tcpout]

defaultGroup = Regular_Indexers

[tcpout:Regular_Indexers]
forceTimebasedAutoLB = true
autoLB = true
autoLBFrequency = 10
server = indexer1:9997,indexer2:9997,indexer3:9997,indexer4:9997,indexer5:9997
compressed = true

[tcpout:SPECIAL_Indexers]
forceTimebasedAutoLB = true
autoLB = true
autoLBFrequency = 10
server = indexer6:9997,indexer7:9997
compressed = true

inputs.conf

[monitor:///your/path/to/log_file.log]

_TCP_ROUTING = SPECIAL_Indexers //This will route the data for this source to the SPECIAL indexers
sourcetype = my_sourcetype1
index=my_index1

[monitor:///your/path/to/second_log_file.log]
sourcetype = my_sourcetype2 //This will go to the default group (Regular indexers)
index=my_index1
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...