Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure an app's outputs.conf to forward data to a specific indexer?

chanduira
Explorer
‎11-07-2016 04:00 AM

Hi Experts,

We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.

The 4th app has a different indexer IP.

All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.

If I delete all 3 apps and keep only 4th one, it works.

Need your expert suggestion.

0 Karma
Reply

chanduira
Explorer
‎11-07-2016 08:32 PM

I am thinking one more way :

all 4 apps data to >> Heavy forwarder

From Heavy forwarder send 3 APPS index to Indexer 1

From heavy forwarder send 4th APPS index to indexer 2

Can any one help with Heavy forwarder configuration for this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2016 06:48 AM

Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
Bye.
Giuseppe

0 Karma
Reply

maede_yavari
Explorer
‎04-14-2024 07:42 AM

Hi gcusello,

 

I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:

 

No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf
Checking: /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf
Invalid key in stanza [general] in /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf, line 2: site (value: site2).

 

By the way, the mentioned  architecture is multi site cluster and we want all of the  Splunk Universal Forwarder send data to site 2.

 

Many Thanks.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-14-2024 08:45 AM

Hi @maede_yavari ,

the message means that you have to copy the app.conf from the default folder to the local one.

Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses.

Ciao.

Giuseppe

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎11-07-2016 05:13 AM

When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles

Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?

- MattyMo
0 Karma
Reply

chanduira
Explorer
‎11-07-2016 08:35 PM

output.conf is same for all APPS, only group and indexer name is different

for 3 apps

groupname is : defaultgroup

indexer test.com:9997

for 4th apps

groupname is : group4

indexer : group4.com:9997

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎11-07-2016 09:38 PM

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad

see: Route inputs to specific indexers based on the data's input

you can create a single outputs.conf with all target indexers defined

[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997

Then in inputs you can use TCP_ROUTING to point the inputs accordingly.

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup

[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...