We have a scenario where we need to forward data from 1 directory to 2 different indexer clusters. While this is achievable through TCP Routing in inputs.conf, I believe the solution will only work if everything else remains the same in the monitoring stanza.
We need to send data to the 2 clusters with different index/sourcetype configuration. Is this possible using the same inputs.conf file?
We have observed that setting up 2 different stanzas for the same monitored directory results in only one of the stanzas being respected. Below is a description of the configuration.
[monitor:///A/B/C]
index = index1
sourcetype = st1
_TCP_ROUTING = cluster1
[monitor:///A/B/C]
index = index2
sourcetype = st2
_TCP_ROUTING = cluster2
The above configuration resulted in the data only flowing to cluster2. We tried differentiating the 2 stanzas by putting asterisk at the end of the directory name, but it didn't make a difference.
Hi tusharsaran1,
you have two solutions to your problem:
For symbolic link you have to use symlink and configure two stanzas in inputs.conf.
To override sourcetype see https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides .
If possible I suggest the second one.
Bye.
Giuseppe
Hi tusharsaran1,
you have two solutions to your problem:
For symbolic link you have to use symlink and configure two stanzas in inputs.conf.
To override sourcetype see https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides .
If possible I suggest the second one.
Bye.
Giuseppe
Thanks for your response Giuseppe. What we observed during our testing earlier was that fishbucket was preventing the files in the dir to be sent to both clusters because it respected only 1 stanza and ignored the file when it encountered the second stanza.
When we use symlinks, won't we run into the same issue again as the actual file names (including absolute path) would still remain the same?
Hi tusharsaran1,
did you used crcSalt = <SOURCE>
and followSymlink = true
in symlink stanza?
I have some situations managed with symlink and they correctly run.
Bye.
Giuseppe
I meant when we did the testing without symlinks, we ran into issues with fishbucket. I am accepting this answer for now as I am going to create symlinks to test it out. I'll reopen the communication if the solution doesn't work for us.
I am not sure if the second solution is going to work for us. The documentation that you shared talks about overriding sourcetypes on a per-event basis. We need to configure different sourcetypes on a directory basis. Moreover, we also need to assign different indexes.
Can you provide some more info about symlinks here? How should we use symlinks to suit our requirements? Do you mean we should just create a symlink and then have 2 monitor stanzas (one for the original dir and one for the symlink) ? If yes, then I think this is a good idea.
Also, why do you prefer the second approach?
Hi tusharsaran1,
I prefer second approach because in this way I have more control on the operation managing it on the indexers.
In this way you configure one of your clusters indexers to change sourcetype for a specified sourcetype:
e.g. if I have a sourcetype called S_one and I want to change in S_two I use
in props.conf
[S_One]
TRANSFORMS-S_One = Override_S_One
In transforms.conf
[Override_S_One]
REGEX = .
FORMAT = sourcetype::Override_S_One
DEST_KEY = MetaData:Sourcetype
About symlink, yes you create a symlink and then you have two stanzas in inputs.conf.
remember to put in your symlink stanza the following items:
crcSalt = <SOURCE>
followSymlink = true
Bye.
Giuseppe
have a look at this answer
https://answers.splunk.com/answers/108295/sending-two-inputs-from-one-universal-forwarder-to-two-dif...
Let me know if this helps you!
Not exactly. I have edited my question's original description to provide more context.
i have edited the answer pls check