Getting Data In

How to configure an app's outputs.conf to forward data to a specific indexer?

Explorer

Hi Experts,

We deployed 4 apps on Splunk Universal Forwarder. 3 apps having same outputs.conf and sending data to same indexer.

The 4th app has a different indexer IP.

All 3 apps are able to send data to their respective indexer but the 4th app is failing to send data.

If I delete all 3 apps and keep only 4th one, it works.

Need your expert suggestion.

0 Karma

Explorer

I am thinking one more way :

all 4 apps data to >> Heavy forwarder

From Heavy forwarder send 3 APPS index to Indexer 1

From heavy forwarder send 4th APPS index to indexer 2

Can any one help with Heavy forwarder configuration for this.

0 Karma

Legend

Hi chanduira,
I suggest to create a different TA containing only one outputs.conf comprehensive of the four configurations and deploy it using a Deployment Server.
In this way you're sure to not have conflicts between outputs.conf files.
Bye.
Giuseppe

0 Karma

Splunk Employee
Splunk Employee

When you deploy the 3 apps, you are likely overriding the 4th app's outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Wheretofindtheconfigurationfiles

Can you share the outputs.conf of the 3 apps vs the 4th app so we can help you reach the config you are looking for?

0 Karma

Explorer

output.conf is same for all APPS, only group and indexer name is different

for 3 apps

groupname is : defaultgroup

indexer test.com:9997

for 4th apps

groupname is : group4

indexer : group4.com:9997

0 Karma

Splunk Employee
Splunk Employee

You can, and should be able to avoid the need for a heavy forwarder, using route and filtering options for inputs

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad

see: Route inputs to specific indexers based on the data's input

you can create a single outputs.conf with all target indexers defined

[tcpout:systemGroup]
server=server1:9997

[tcpout:applicationGroup]
server=server2:9997

Then in inputs you can use TCP_ROUTING to point the inputs accordingly.

[monitor://.../file1.log]
TCPROUTING = systemGroup

[monitor://.../file2.log]
TCPROUTING = applicationGroup

0 Karma