Getting Data In

Route data on Heavy Forwarder is not working

lit_gustavo
Engager

Hi guys I tried hard here and read some docs:
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Propsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Transformsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Outputsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Forwarddatatothird-partysystemsd)
(https://answers.splunk.com/answers/474297/how-to-route-and-filter-data-on-the-heavy-forwarde.html?ut...)

But I don´t know what I am doing wrong. I just have to send data to different indexers, but my Heavy Forwarder is clonning the data (I need some of data on indexer01 and the other on indexer02).

Here is my inputs.conf (all configs on my Heavy Forwarder)

[splunktcp://9997]

Here is my props.conf

[host::SRVPRD0001]
TRANSFORMS-routing = index01

[host::SRVPRD0002]
TRANSFORMS-routing = index02

[host::SRVPRD0003]
TRANSFORMS-routing = index02

[host::SRVPRD0004]
TRANSFORMS-routing = index02

[host::SRVPRD0005]
TRANSFORMS-routing = index02

Here my transforms.conf

[index01]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=sendtoidx01

[index02]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=sendtoidx02

Here my outputs.conf

[default]
indexAndForward=false

[tcpout:sendtoidx01]
disabled=false
server=192.168.1.73:9997

[tcpout:sendtoidx02]
disabled=false
server=192.168.1.72:9997
0 Karma

xpac
SplunkTrust
SplunkTrust

Any chance that your props stanzas don't match? Everything else looks fine to me...

0 Karma

lit_gustavo
Engager

Hi xpac, I changed the stanza on my props.conf to browser

[browser]
TRANSFORMS-routing = index02

That way all data should flow only to index02, however my heavy forwarder still splits the data.

0 Karma

xpac
SplunkTrust
SplunkTrust

Mhh, I'd try a splunk btool props list or splunk show config propsto see if the config is actually applied, or if anything is applied after those transforms that might reset the _TCP_ROUTING variable...

0 Karma

lit_gustavo
Engager

I checked my transforms.conf and the two _TCP_ROUTING are from my [index01] and [index02] stanzas

And on my props.conf I can see my transformation applied.

/opt/splunk/etc/apps/hf/local/props.conf [browser]
/opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True
/opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE =
/opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True
/opt/splunk/etc/system/default/props.conf CHARSET = UTF-8
/opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml
/opt/splunk/etc/system/default/props.conf HEADER_MODE =
/opt/splunk/etc/system/default/props.conf LEARN_MODEL = true
/opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true
/opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100
/opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000
/opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600
/opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800
/opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256
/opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
/opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER =
/opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE =
/opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing
/opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full
/opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner
/opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer
/opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none
/opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard
/opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True
/opt/splunk/etc/system/default/props.conf TRANSFORMS =
/opt/splunk/etc/apps/hf/local/props.conf TRANSFORMS-routing = index02
/opt/splunk/etc/system/default/props.conf TRUNCATE = 10000
/opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false
/opt/splunk/etc/system/default/props.conf maxDist = 100
/opt/splunk/etc/system/default/props.conf priority =
/opt/splunk/etc/system/default/props.conf sourcetype =

0 Karma