I have a Syslog collector receiving logs from multiple Syslog devices and writing them in a directory-structured log file. The same host runs as my HF.
One of those .log files, I want to read using [monitor] and send to a specific indexer (10.20.30.40:9998)
where others continued to be read by their respective monitors and sent to one of the indexers as chosen by indexerDiscovery (some configs in my below outputs are missing but that works as that's not the issue).
the issue is - I am facing difficulty in onboarding logs from this .log file, however, I am getting the internal logs of the HF which means there is no networking issue.
below are my configs, any correction in them would be highly appreciated.
inputs.conf
----------------------------------------------------------
[monitor:///var/log/splunk/Checkpoint/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
# _TCP_ROUTING = isolationGroup
[monitor:///var/log/splunk/Checkpoint_sys/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
props.conf
----------------------------------------------------------
[cp_log]
TRANSFORMS-routing = isolationRouting
transforms.conf
----------------------------------------------------------
[isolationRouting]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = isolationGroup
outputs.conf
----------------------------------------------------------
[tcpout:my_indexers]
clientCert = /opt/splunk/etc/auth/my_certs/my_serverCert.pem
indexerDiscovery = MyIndexersDiscovery
useACK = true
[tcpout:isolationGroup]
server = 10.20.30.40:9998
Hi @cybermonday,
as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Route_inputs... you have to apply this configuration to the system that you're using to ingest data:
outputs.conf
[monitor:///var/log/splunk/Checkpoint/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
_TCP_ROUTING = isolationGroup
[monitor:///var/log/splunk/Checkpoint_sys/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
inputs.conf
[tcpout:my_indexers]
clientCert = /opt/splunk/etc/auth/my_certs/my_serverCert.pem
indexerDiscovery = MyIndexersDiscovery
useACK = true
[tcpout:isolationGroup]
server = 10.20.30.40:9998
you don't need of props and transforms, they are used to modify some values after inputs, on Heavy Forwarders or Indexers.
Ciao.
Giuseppe