Getting Data In

How to configure an app's outputs.conf to forward data to a specific indexer?

chanduira
Explorer

Hi Experts,

We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.

The 4th app has a different indexer IP.

All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.

If I delete all 3 apps and keep only 4th one, it works.

Need your expert suggestion.

0 Karma

chanduira
Explorer

I am thinking one more way :

all 4 apps data to >> Heavy forwarder

From Heavy forwarder send 3 APPS index to Indexer 1

From heavy forwarder send 4th APPS index to indexer 2

Can any one help with Heavy forwarder configuration for this.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
Bye.
Giuseppe

0 Karma

maede_yavari
Explorer

Hi gcusello,

 

I did this method but when I restart Splunk Universal Forwarder, the following warning is appeared:

 

No spec file for: /opt/splunkforwarder/etc/apps/outputs/local/app.conf
Checking: /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf
Invalid key in stanza [general] in /opt/splunkforwarder/etc/apps/outputs/local/outputs.conf, line 2: site (value: site2).

 

By the way, the mentioned  architecture is multi site cluster and we want all of the  Splunk Universal Forwarder send data to site 2.

 

Many Thanks.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @maede_yavari ,

the message means that you have to copy the app.conf from the default folder to the local one.

Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses.

Ciao.

Giuseppe

0 Karma

mattymo
Splunk Employee
Splunk Employee

When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles

Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?

- MattyMo
0 Karma

chanduira
Explorer

output.conf is same for all APPS, only group and indexer name is different

for 3 apps

groupname is : defaultgroup

indexer test.com:9997

for 4th apps

groupname is : group4

indexer : group4.com:9997

0 Karma

mattymo
Splunk Employee
Splunk Employee

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad

see: Route inputs to specific indexers based on the data's input

you can create a single outputs.conf with all target indexers defined

[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997

Then in inputs you can use TCP_ROUTING to point the inputs accordingly.

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup

[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup

- MattyMo
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...