I have a small scale Splunk Enterprise instance installed on one server which does not index the data locally. Data is pointed to a central server to index it. Outputs on that server are configured/polled through deployment server. However, I now want to configure inputs which need to be indexed locally without disturbing the existing outputs.conf. If someone helps me with ideas, it would be a great help.
there are many examples:
- Index one input locally and then forward the remaining inputs
- Index one input locally and then forward all inputs
I used it.
Thanks Giuseppe!! I too got this option. but the thing is inorder to implement this option i should edit my outputs.conf which i dont like to since after a deploy poll push it may get change ..
Can we restrict to an app to send the data to dedicated indexer or local?
I mean to ask can we create outputs.conf where we can specify the data should index data locally in app?
To implement a selective indexing, you have to configure the outputs.conf file and then ALL the inputs.conf stanzas (each one)!
When you insert the command
TCPROUTING = mynewroute
in one stanza of inputs.conf file, the input is locally indexed or sent to the remote indexers.
otherwise if you don't insert the above command in a stanza, the inputs of the stanza are both locally indexed and sent to the remote indexers (and there is a doble license consumption!).
In outputs.conf you configure only the servers to send logs, the destination (local or remote) must be specified in each inputs.conf stanzas.
P.S.: please accept the answer if you like 😉
I dont think we need to change all other inputs stanza's with the TCPRouting if you have already specified defaultGroup as reomote server(indexer).
Can we create dedicated outputs.conf under the app where we need the inputs which needs the data index locally?if we do so the precedence goes to system/local or app/local since we have the inputs localy in the app?
General precedence s system /local but not sure about in case of above condition occurs...
I don't like to have more outputs.conf!
Everyway try with the dafault group, I found that when I don't insert TCPROUTING ... logs are sent to alla the indexers (local and remote).