I have the following outputs defined on all my universal forwarders:
[tcpout] defaultGroup = prod-group, valid-group [tcpout:prod-group] server = server1:9997 [tcpout:valid-group] server = server2:9997 [tcpout:dev-group] server = server3:9997
DefaultGroup may be different on some UF.
Inputs to index "_internal" are send to each output group because the file "$SPLUNKHOME/apps/SplunkUniversalForwarder/default/inputs.conf have the following contents:
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log] _TCP_ROUTING = * index = _internal
I want to send these event only to groups defined as defaultGroup.
I presume I will have to create a new "local/inputs.conf" file with a redefinition of TCPROUTING like
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log] _TCP_ROUTING = ????
But I have no idee of the definition I have to get to TCPROUTING
More details on how to managed logs for
The _internal index are populated by the following stanzas:
$SPLUNK_HOME/etc/default/inputs.conf [monitor://$SPLUNK_HOME/var/log/splunk] [monitor://$SPLUNK_HOME/etc/splunk.version] $SPLUNK_HOME/apps/SplunkUniversalForwarder/default/inputs.conf [monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log] [monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
If we want to forward the logs only to "prod-group" then create the following in
$SPLUNK_HOME/etc/system/local/inputs.conf [monitor://$SPLUNK_HOME/var/log/splunk] _TCP_ROUTING = prod-group [monitor://$SPLUNK_HOME/etc/splunk.version] _TCP_ROUTING = prod-group [monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log] _TCP_ROUTING = prod-group [monitor://$SPLUNK_HOME/var/log/splunk/metrics.log] _TCP_ROUTING = prod-group
at first you don't need to insert
_TCP_ROUTING = * when you want to route your events to all indexers because by default, when there isn't any TCPROUTING option, events are routed to al indexers (with growth of license consumption!).
when you use TCPROUTING there isn't a default group.
So, you have to:
index = _internalfrom $SPLUNKHOME/etc/system/default/inputs.conf in $SPLUNKHOME/etc/system/local/inputs.conf;
_TCP_ROUTING = prod-group(or valid-group or dev-group);
Before to do this, evaluate what you want to do with the other internal Splunk index (_audit).
I don't want to insert TCPROUTING = "*". Splunk do it by default on app "Splunkforwarder". I don't want to modify the file on "default" directory.
I way is probable to redefine TCPROUTING on "local" directory. It's easy to redirect event to "prod-group" or "valid-group". But how do I have to define TCPROUTING to send events to the output(s) defined as defaultGroup ?