- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure an app's outputs.conf to forward data to a specific indexer?
Hi Experts,
We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.
The 4th app has a different indexer IP.
All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.
If I delete all 3 apps and keep only 4th one, it works.
Need your expert suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am thinking one more way :
all 4 apps data to >> Heavy forwarder
From Heavy forwarder send 3 APPS index to Indexer 1
From heavy forwarder send 4th APPS index to indexer 2
Can any one help with Heavy forwarder configuration for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gcusello,
I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:
No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf
Checking: /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf
Invalid key in stanza [general] in /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf, line 2: site (value: site2).
By the way, the mentioned architecture is multi site cluster and we want all of the Splunk Universal Forwarder send data to site 2.
Many Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @maede_yavari ,
the message means that you have to copy the app.conf from the default folder to the local one.
Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf
https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles
Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
output.conf is same for all APPS, only group and indexer name is different
for 3 apps
groupname is : defaultgroup
indexer test.com:9997
for 4th apps
groupname is : group4
indexer : group4.com:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs
http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad
see: Route inputs to specific indexers based on the data's input
you can create a single outputs.conf with all target indexers defined
[tcpout:systemGroup]
server=server1:9997
[tcpout:applicationGroup]
server=server2:9997
Then in inputs you can use TCP_ROUTING to point the inputs accordingly.
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup
