Getting Data In

How to forward _internal to defaultGroup

ktn01
Path Finder

Hello,
I have the following outputs defined on all my universal forwarders:

[tcpout]
defaultGroup = prod-group, valid-group

[tcpout:prod-group]
server = server1:9997

[tcpout:valid-group]
server = server2:9997

[tcpout:dev-group]
server = server3:9997

DefaultGroup may be different on some UF.

Inputs to index "_internal" are send to each output group because the file "$SPLUNKHOME/apps/SplunkUniversalForwarder/default/inputs.conf have the following contents:

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

I want to send these event only to groups defined as defaultGroup.

I presume I will have to create a new "local/inputs.conf" file with a redefinition of _TCP_ROUTING like

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = ????

But I have no idee of the definition I have to get to _TCP_ROUTING

Thanks

htidore
Path Finder

More details on how to managed logs for _internal.

The _internal index are populated by the following stanzas:

$SPLUNK_HOME/etc/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
[monitor://$SPLUNK_HOME/etc/splunk.version]
$SPLUNK_HOME/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]

If we want to forward the logs only to "prod-group" then create the following in

$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = prod-group

[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
_TCP_ROUTING = prod-group
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ktn01,
see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Route_inputs_to_spe....
at first you don't need to insert _TCP_ROUTING = * when you want to route your events to all indexers because by default, when there isn't any _TCP_ROUTING option, events are routed to al indexers (with growth of license consumption!).
when you use _TCP_ROUTING there isn't a default group.
So, you have to:

  • define in outputs.conf your tcpout stanzas: prod-group, valid-group or dev-group;
  • copy all the stanzas with index = _internal from $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf;
  • insert in every stanza _TCP_ROUTING = prod-group (or valid-group or dev-group);
  • restart Splunk.

Before to do this, evaluate what you want to do with the other internal Splunk index (_audit).

bye.
Giuseppe

goelli
Communicator

I downvoted this post because it is not respecting the fact, that _TCP_Routing = * is set by Splunk's default on Universal Forwarders as stated already in the question.

0 Karma

ktn01
Path Finder

Hello,
I don't want to insert _TCP_ROUTING = "*". Splunk do it by default on app "Splunkforwarder". I don't want to modify the file on "default" directory.

I way is probable to redefine _TCP_ROUTING on "local" directory. It's easy to redirect event to "prod-group" or "valid-group". But how do I have to define _TCP_ROUTING to send events to the output(s) defined as defaultGroup ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Default is " to all indexers" : if you don't insert _TCP_ROUTING, you send to all indexers, if you insert _TCP_ROUTING, you send to the selected indexer/s.
Bye.
Giuseppe

0 Karma

ktn01
Path Finder

Hello,
I try

_TCP_ROUTING = $defaultGroup

_TCP_ROUTING = ""

and

_TCP_ROUTING =

but it doesn't work.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...