I have one universal forwarder (UF) that is sending production data to the production intermediate Forwarder (IF) and then on to the production indexers.
I would like to start collecting test data from the UF and send it to the LAB indexer.
Is there any way to change the outputs.conf for one app on the UF and leave the outputs.conf that is presently sending live data to the IF?
You'll want to specify TCP_ROUTING in your inputs. So, I'm assuming that you will have separate outputs.conf files with separate tcpout stanzas. What you'll want to do in your inputs.conf file is specify which tcpout stanza to use:
outputs.conf for app1:
[tcpout:IndexerA] server=192.168.56.101:8089 .... ....
outputs.conf for app2:
[tcpout:IndexerB] server=192.168.56.102:8089 .... ....
In your inputs.conf for each of the apps, you'll specify which tcpout stanza to use with TCP_ROUTING:
inputs.conf for app1
[monitor:///path/to/log/A/logA.log] # Add attributes to your monitor like sourcetype, index, etc .... .... # In the end, specify to which indexer this log should be sent using _TCP_ROUTING = <group name> _TCP_ROUTING = IndexerA
inputs.conf for app2:
[monitor:///path/to/log/B/logB.log] .... .... _TCP_ROUTING = IndexerB
I don't send data to an intermediate forwarder, but this is how I send separate data to separate indexers. Let me know if this helps.
Thanks @ragedsparrow I haven't tried this but this is the correct answer. Look at you helping out after just signing up a little over a year ago. "Lowe's" is lucky to have you. Thanks very much for helping out. Keep up the good work.
I appreciate it @hartfoml . I have had to look this up in the past and had it in a reference document to be used again if ever I needed it. when I came across your question it was very similar to what I was running into a while ago, so I figured I'd try to help.
Hi. would you mind looking at this configuration also please? I'm missing something in the flow, or should this be working?
hostsegment = 4
sourcetype = MWGaccess3
index = proxyindex
_TCPROUTING = mainindexclusteridx #main index cluster need a copy here for Splunk
SYSLOGROUTING = mskysapsysloggroup #alternate source a copy here for another syslog server
TRANSFORMS-mskysap = sendsyslogtomskysap
REGEX = .
DESTKEY = SYSLOGROUTING
FORMAT = mskysapsysloggroup
type = TCP
server = differentsyslogserver:514