Getting Data In

How to configure inputs.conf to send data from 1 directory to 2 different clusters with different index/sourcetype

tusharsaran1
Path Finder

We have a scenario where we need to forward data from 1 directory to 2 different indexer clusters. While this is achievable through TCP Routing in inputs.conf, I believe the solution will only work if everything else remains the same in the monitoring stanza.
We need to send data to the 2 clusters with different index/sourcetype configuration. Is this possible using the same inputs.conf file?

We have observed that setting up 2 different stanzas for the same monitored directory results in only one of the stanzas being respected. Below is a description of the configuration.

[monitor:///A/B/C]
index = index1
sourcetype = st1
_TCP_ROUTING = cluster1

[monitor:///A/B/C]
index = index2
sourcetype = st2
_TCP_ROUTING = cluster2

The above configuration resulted in the data only flowing to cluster2. We tried differentiating the 2 stanzas by putting asterisk at the end of the directory name, but it didn't make a difference.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi tusharsaran1,
you have two solutions to your problem:

  • use symbolic link,
  • override sourcetype.

For symbolic link you have to use symlink and configure two stanzas in inputs.conf.

To override sourcetype see https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides .

If possible I suggest the second one.

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi tusharsaran1,
you have two solutions to your problem:

  • use symbolic link,
  • override sourcetype.

For symbolic link you have to use symlink and configure two stanzas in inputs.conf.

To override sourcetype see https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides .

If possible I suggest the second one.

Bye.
Giuseppe

0 Karma

tusharsaran1
Path Finder

Thanks for your response Giuseppe. What we observed during our testing earlier was that fishbucket was preventing the files in the dir to be sent to both clusters because it respected only 1 stanza and ignored the file when it encountered the second stanza.
When we use symlinks, won't we run into the same issue again as the actual file names (including absolute path) would still remain the same?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi tusharsaran1,
did you used crcSalt = <SOURCE> and followSymlink = true in symlink stanza?
I have some situations managed with symlink and they correctly run.

Bye.
Giuseppe

0 Karma

tusharsaran1
Path Finder

I meant when we did the testing without symlinks, we ran into issues with fishbucket. I am accepting this answer for now as I am going to create symlinks to test it out. I'll reopen the communication if the solution doesn't work for us.

0 Karma

tusharsaran1
Path Finder

I am not sure if the second solution is going to work for us. The documentation that you shared talks about overriding sourcetypes on a per-event basis. We need to configure different sourcetypes on a directory basis. Moreover, we also need to assign different indexes.
Can you provide some more info about symlinks here? How should we use symlinks to suit our requirements? Do you mean we should just create a symlink and then have 2 monitor stanzas (one for the original dir and one for the symlink) ? If yes, then I think this is a good idea.
Also, why do you prefer the second approach?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi tusharsaran1,
I prefer second approach because in this way I have more control on the operation managing it on the indexers.
In this way you configure one of your clusters indexers to change sourcetype for a specified sourcetype:
e.g. if I have a sourcetype called S_one and I want to change in S_two I use

in props.conf

[S_One]
TRANSFORMS-S_One = Override_S_One

In transforms.conf

[Override_S_One]
REGEX = .
FORMAT = sourcetype::Override_S_One
DEST_KEY = MetaData:Sourcetype

About symlink, yes you create a symlink and then you have two stanzas in inputs.conf.
remember to put in your symlink stanza the following items:

crcSalt = <SOURCE>
followSymlink = true

Bye.
Giuseppe

0 Karma

mayurr98
Super Champion
0 Karma

tusharsaran1
Path Finder

Not exactly. I have edited my question's original description to provide more context.

0 Karma

mayurr98
Super Champion

i have edited the answer pls check

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...