I have a number of application deployments, and I want each deployment to send logs to a different instance of splunk. Due to the network configuration (the apps are on Azure), I need to use a forwarder. I was looking at the help for the outputs.conf file, and didn't see anything obvious. Is it possible to set up a universal forwarder to listen on multiple ports, and send each port to a different target server?
Thanks!
Erick
Sure, but you need to configure both inputs.conf
and outputs.conf
. Something similar to this.
inputs.conf
[monitor:///var/log/httpd]
sourcetype=access_combined
_TCP_ROUTING=indexer1
[tcp://:12345]
_TCP_ROUTING=indexer2
[tcp://:45678]
_TCP_ROUTING=indexer3
outputs.conf
[tcpout:indexer1]
server=indexer1.Splunk.com:9997
[tcpout:indexer2]
server=indexer2.Splunk.com:9997
[tcpout:indexer3]
server=indexer3.Splunk.com:9997
Sure, but you need to configure both inputs.conf
and outputs.conf
. Something similar to this.
inputs.conf
[monitor:///var/log/httpd]
sourcetype=access_combined
_TCP_ROUTING=indexer1
[tcp://:12345]
_TCP_ROUTING=indexer2
[tcp://:45678]
_TCP_ROUTING=indexer3
outputs.conf
[tcpout:indexer1]
server=indexer1.Splunk.com:9997
[tcpout:indexer2]
server=indexer2.Splunk.com:9997
[tcpout:indexer3]
server=indexer3.Splunk.com:9997
This is exactly what I am looking for. Thanks! I will try this out first thing on Monday.