Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to redirect some data coming into an indexer (HEC) to another indexer?

twinspop
Influencer
‎07-05-2019 08:37 AM

I have Http Event Collector inputs defined on an indexer cluster. I need to send one of the tokens' data to a different indexer. _TCP_ROUTING in inputs, plus an outputs.conf def?
If so, what magic in outputs.conf do I need to ensure most traffic ignores the special case and just indexes normally?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎07-09-2019 06:45 PM

The bottom of this page has an example of how to do it using selective indexing.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Outputsconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎07-09-2019 06:45 PM

The bottom of this page has an example of how to do it using selective indexing.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Outputsconf

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-07-2019 04:28 AM

Yes, your proposed method will work. I've done it before just fine.

Inputs:

[yourstanza]
_TCP_ROUTING=YourRoutingGroup

Outputs:

[splunk-tcp://YourRoutingGroup]
server=yourserver

Everything else will use the default routing group

Here's an example using plain TCP:

[tcpout]
defaultGroup=everythingElseGroup

[tcpout:syslogGroup]
server=10.1.1.197:9996, 10.1.1.198:9997

[tcpout:errorGroup]
server=10.1.1.200:9999

[tcpout:everythingElseGroup]
server=10.1.1.250:6666

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎07-09-2019 05:48 PM

That didn't work. I added this stanza (alone) to the CM and applied. No other changes. I had assumed that default would remain undefined and therefore it would index locally.

[tcpout:dc1_indexers]
server = dc1_indexers:9997
autoLBFrequency = 20
autoLBVolume = 10000
compressed = true
useACK = false

All locally indexed data disappeared, and tons of logs regarding TcpOutputProc connections to the indexers in the dc1_indexers cluster above.

So how do you add an output destination that will not take over default when you want to maintain local indexing?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-07-2019 04:29 AM

You can also use regex in transforms to set the tcp routing:

https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...