Getting Data In

Issue with default outputs when _TCP_ROUTING

Explorer

Hello,

I have many forwarders sending logs to a cluster of indexers, and for some logs I need to send it not cooked.

The problem is, when I add _TCP_ROUTING in my inputs.conf file, the logs are well sent to the correct server without being cooked, but they are not visible in Splunk (in the indexers). When I comment _TCP_ROUTING, the logs are correctly sent to the indexers.

I noticed that when I re-comment the _TCP_ROUTING, the logs are not loose and appearing in Splunk after 1-2 minutes.

 

 

 

inputs.conf

[monitor:///pqth/to/logs/*/*.log]
sourcetype = my:sourcetype
index = myindex
_TCP_ROUTING = logs_uncooked_to_send
outputs.conf

[tcpout]
defaultGroup = default

[tcpout:default]
server = indexer1:9997,indexer2:9997,indexer3:9997,indexer4:9997
autoLBFrequency = 10

[tcpout:logs_uncooked_to_send]
server = server1:5066
sendCookedData= false

 

Any idea what is blocking ? Maybe something I missed/don't mentioned here ?

Labels (2)
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi

I think that when you want to sending those to both server and indexers you must add “,default” to the _TCP_ROUTING parameter.

r. Ismo

View solution in original post

SplunkTrust
SplunkTrust

Hi

I think that when you want to sending those to both server and indexers you must add “,default” to the _TCP_ROUTING parameter.

r. Ismo

View solution in original post

Explorer

Hi, thank you for your answer,

I thought about it but I was wondering if because there is "sendCookedData=false", it will send data not cooked to the indexers ?

I will try it and tell you if it works.

0 Karma

SplunkTrust
SplunkTrust

Now you are sending it only to one target server1 not to the both. If you want send it to both target then you must add the second (which contain indexers) to the _TCP_ROUTING

That sendCoockedData is connection specific parameter it don’t define connection itself. 

0 Karma

Explorer

When there isn't _TCP_ROUTING, it is well sent to the indexers.
When I add _TCP_ROUTING, if I understand, it stops sending to the default group ?

I tried to add ",default" but when it's pushed, I can't see the logs from my indexers via Splunk. When I comment the line and repush the conf, the logs reappeared (I checked with the appropriate time range to be sure).

0 Karma

SplunkTrust
SplunkTrust
I take it you are using heavy forwarders. Why not use universal forwarders, which don't cook data?
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Thank you for your reply,

I'm already using Universal Forwarders, do I need to change something to my conf to work ?

0 Karma

SplunkTrust
SplunkTrust
Why are you using _TCP_ROUTING? What problem are you trying to solve with it? Universal Forwarders do not send cooked data and they automatically balance load among indexers so I don't see what you're trying to accomplish with this atypical config.
---
If this reply helps you, an upvote would be appreciated.
0 Karma