Getting Data In

How to route a monitor input to specific indexer?

cybermonday
Explorer

I have a Syslog collector receiving logs from multiple Syslog devices and writing them in a directory-structured log file. The same host runs as my HF.
One of those .log files, I want to read using [monitor] and send to a specific indexer (10.20.30.40:9998)
where others continued to be read by their respective monitors and sent to one of the indexers as chosen by indexerDiscovery (some configs in my below outputs are missing but that works as that's not the issue).

the issue is - I am facing difficulty in onboarding logs from this .log file, however, I am getting the internal logs of the HF which means there is no networking issue.

below are my configs, any correction in them would be highly appreciated.


inputs.conf
----------------------------------------------------------
[monitor:///var/log/splunk/Checkpoint/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
# _TCP_ROUTING = isolationGroup

[monitor:///var/log/splunk/Checkpoint_sys/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5


props.conf
----------------------------------------------------------
[cp_log]
TRANSFORMS-routing = isolationRouting


transforms.conf
----------------------------------------------------------
[isolationRouting]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = isolationGroup


outputs.conf
----------------------------------------------------------
[tcpout:my_indexers]
clientCert = /opt/splunk/etc/auth/my_certs/my_serverCert.pem
indexerDiscovery = MyIndexersDiscovery
useACK = true

[tcpout:isolationGroup]
server = 10.20.30.40:9998

 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cybermonday,

as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Route_inputs... you have to apply this configuration to the system that you're using to ingest data:

outputs.conf

[monitor:///var/log/splunk/Checkpoint/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5
_TCP_ROUTING = isolationGroup

[monitor:///var/log/splunk/Checkpoint_sys/*/*.log]
disabled = 0
Sourcetype = cp_log
index = index1
host_segment = 5

inputs.conf

[tcpout:my_indexers]
clientCert = /opt/splunk/etc/auth/my_certs/my_serverCert.pem
indexerDiscovery = MyIndexersDiscovery
useACK = true

[tcpout:isolationGroup]
server = 10.20.30.40:9998

you don't need of props and transforms, they are used to modify some values after inputs, on Heavy Forwarders or Indexers.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...