How to forward _internal to defaultGroup

ktn01 · ‎02-11-2017

Hello,
I have the following outputs defined on all my universal forwarders:

[tcpout]
defaultGroup = prod-group, valid-group

[tcpout:prod-group]
server = server1:9997

[tcpout:valid-group]
server = server2:9997

[tcpout:dev-group]
server = server3:9997

DefaultGroup may be different on some UF.

Inputs to index "_internal" are send to each output group because the file "$SPLUNKHOME/apps/SplunkUniversalForwarder/default/inputs.conf have the following contents:

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

I want to send these event only to groups defined as defaultGroup.

I presume I will have to create a new "local/inputs.conf" file with a redefinition of _TCP_ROUTING like

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = ????

But I have no idee of the definition I have to get to _TCP_ROUTING

Thanks

htidore · ‎12-13-2017

More details on how to managed logs for _internal.

The _internal index are populated by the following stanzas:

$SPLUNK_HOME/etc/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
[monitor://$SPLUNK_HOME/etc/splunk.version]
$SPLUNK_HOME/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]

If we want to forward the logs only to "prod-group" then create the following in

$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
_TCP_ROUTING = prod-group

gcusello · ‎02-12-2017

Hi ktn01,
see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Route_inputs_to_spe....
at first you don't need to insert _TCP_ROUTING = * when you want to route your events to all indexers because by default, when there isn't any _TCP_ROUTING option, events are routed to al indexers (with growth of license consumption!).
when you use _TCP_ROUTING there isn't a default group.
So, you have to:

define in outputs.conf your tcpout stanzas: prod-group, valid-group or dev-group;
copy all the stanzas with index = _internal from $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf;
insert in every stanza _TCP_ROUTING = prod-group (or valid-group or dev-group);
restart Splunk.

Before to do this, evaluate what you want to do with the other internal Splunk index (_audit).

bye.
Giuseppe

goelli · ‎03-21-2017

I downvoted this post because it is not respecting the fact, that _TCP_Routing = * is set by Splunk's default on Universal Forwarders as stated already in the question.

ktn01 · ‎02-12-2017

Hello,
I don't want to insert _TCP_ROUTING = "*". Splunk do it by default on app "Splunkforwarder". I don't want to modify the file on "default" directory.

I way is probable to redefine _TCP_ROUTING on "local" directory. It's easy to redirect event to "prod-group" or "valid-group". But how do I have to define _TCP_ROUTING to send events to the output(s) defined as defaultGroup ?

gcusello · ‎02-12-2017

Default is " to all indexers" : if you don't insert _TCP_ROUTING, you send to all indexers, if you insert _TCP_ROUTING, you send to the selected indexer/s.
Bye.
Giuseppe

ktn01 · ‎02-11-2017

Hello,
I try

_TCP_ROUTING = $defaultGroup

_TCP_ROUTING = ""

and

_TCP_ROUTING =

but it doesn't work.

How to forward _internal to defaultGroup

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor