Getting Data In

How to configure an app's outputs.conf to forward data to a specific indexer?

chanduira
Explorer

Hi Experts,

We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.

The 4th app has a different indexer IP.

All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.

If I delete all 3 apps and keep only 4th one, it works.

Need your expert suggestion.

0 Karma

chanduira
Explorer

I am thinking one more way :

all 4 apps data to >> Heavy forwarder

From Heavy forwarder send 3 APPS index to Indexer 1

From heavy forwarder send 4th APPS index to indexer 2

Can any one help with Heavy forwarder configuration for this.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
Bye.
Giuseppe

0 Karma

maede_yavari
Explorer

Hi gcusello,

 

I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:

 

No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf
Checking: /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf
Invalid key in stanza [general] in /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf, line 2: site (value: site2).

 

By the way, the mentioned  architecture is multi site cluster and we want all of the  Splunk Universal Forwarder send data to site 2.

 

Many Thanks.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari ,

the message means that you have to copy the app.conf from the default folder to the local one.

Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses.

Ciao.

Giuseppe

0 Karma

mattymo
Splunk Employee
Splunk Employee

When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles

Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?

- MattyMo
0 Karma

chanduira
Explorer

output.conf is same for all APPS, only group and indexer name is different

for 3 apps

groupname is : defaultgroup

indexer test.com:9997

for 4th apps

groupname is : group4

indexer : group4.com:9997

0 Karma

mattymo
Splunk Employee
Splunk Employee

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad

see: Route inputs to specific indexers based on the data's input

you can create a single outputs.conf with all target indexers defined

[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997

Then in inputs you can use TCP_ROUTING to point the inputs accordingly.

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup

[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...