Solved: Re: Issue with default outputs when _TCP_ROUTING

Olivier_T · ‎07-17-2020

Hello,

I have many forwarders sending logs to a cluster of indexers, and for some logs I need to send it not cooked.

The problem is, when I add _TCP_ROUTING in my inputs.conf file, the logs are well sent to the correct server without being cooked, but they are not visible in Splunk (in the indexers). When I comment _TCP_ROUTING, the logs are correctly sent to the indexers.

I noticed that when I re-comment the _TCP_ROUTING, the logs are not loose and appearing in Splunk after 1-2 minutes.

inputs.conf

[monitor:///pqth/to/logs/*/*.log]
sourcetype = my:sourcetype
index = myindex
_TCP_ROUTING = logs_uncooked_to_send

outputs.conf

[tcpout]
defaultGroup = default

[tcpout:default]
server = indexer1:9997,indexer2:9997,indexer3:9997,indexer4:9997
autoLBFrequency = 10

[tcpout:logs_uncooked_to_send]
server = server1:5066
sendCookedData= false

Any idea what is blocking ? Maybe something I missed/don't mentioned here ?

isoutamo · ‎07-17-2020

Hi

I think that when you want to sending those to both server and indexers you must add “,default” to the _TCP_ROUTING parameter.

r. Ismo

View solution in original post

isoutamo · ‎07-17-2020

Hi

I think that when you want to sending those to both server and indexers you must add “,default” to the _TCP_ROUTING parameter.

r. Ismo

Olivier_T · ‎07-19-2020

Hi, thank you for your answer,

I thought about it but I was wondering if because there is "sendCookedData=false", it will send data not cooked to the indexers ?

I will try it and tell you if it works.

isoutamo · ‎07-20-2020

Now you are sending it only to one target server1 not to the both. If you want send it to both target then you must add the second (which contain indexers) to the _TCP_ROUTING

That sendCoockedData is connection specific parameter it don’t define connection itself.

Olivier_T · ‎07-20-2020

When there isn't _TCP_ROUTING, it is well sent to the indexers.
When I add _TCP_ROUTING, if I understand, it stops sending to the default group ?

I tried to add ",default" but when it's pushed, I can't see the logs from my indexers via Splunk. When I comment the line and repush the conf, the logs reappeared (I checked with the appropriate time range to be sure).

richgalloway · ‎07-17-2020

I take it you are using heavy forwarders. Why not use universal forwarders, which don't cook data?

---
If this reply helps you, Karma would be appreciated.

Olivier_T · ‎07-19-2020

Thank you for your reply,

I'm already using Universal Forwarders, do I need to change something to my conf to work ?

richgalloway · ‎07-20-2020

Why are you using _TCP_ROUTING? What problem are you trying to solve with it? Universal Forwarders do not send cooked data and they automatically balance load among indexers so I don't see what you're trying to accomplish with this atypical config.

---
If this reply helps you, Karma would be appreciated.

Issue with default outputs when _TCP_ROUTING

inputs.conf

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life