Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Output to multiple destinations with one of them u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Output to multiple destinations with one of them using discovery and different certificate authorities?
Assume for the moment that these work individually:
Outputs1
[tcpout]
defaultGroup = primary_indexers
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true
[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089
[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem
Outputs2
[tcpout]
defaultGroup = heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true
[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem
If I understand the documentation correctly all we would need to do is this:
[tcpout]
defaultGroup = primary_indexers, primary_heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true
[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089
[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem
[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem
Is this correct? In this configuration the exact same data would be flowing to both destinations? There would be no issues binding the certifcates to different stanzas?
I appreciate the responses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bump.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
