Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TCPOUT Forwarding

ChristophRichte
Loves-to-Learn
‎08-23-2021 06:50 AM

Hey,

actually, I am facing an issue, forwarding data via Tcpout.

My scope is to forwarding some data to the main indexer and a subset of the data with specific props.conf to another but additionally keep the subset within the main indexer without using these additional props.conf setting.

 

Problem:

Data is actual sent to both with using props.conf for both tcpout.

sourcetype A  + sourcetype XXX ---> also using Props Props/Transforms (should be ignored) ---> Main Indexer

sourcetype A ----> using Props/Transforms (required) --> Secondary Indexer

 

Scope:

sourcetype A  + sourcetype XXX  ---> also using Props Props/Transforms ---> Main Indexer

sourcetype A ----> Some Props/Transforms --> Secondary Indexer

 

Is there any solution to fix the problem?

 

Thank you for helping.

Regards,

Christoph

Labels (2)
0 Karma
Reply

codebuilder
Influencer
‎08-23-2021 07:00 AM

Unless you are specifically meaning to do index time field extractions these files need to go on the search head(s), not the indexers. And you must have all settings combined in your configs.

If youare doing index time extraction, and your indexers are clustered, the files need to be identical there as well.

Both cases require a restart of Splunk,

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

ChristophRichte
Loves-to-Learn
‎08-23-2021 07:47 AM

Hello,

 

thank you for the response. I think i missed a point...

In my example I have two apps..in example app_send_indexer1 and app_send_indexer2 with following confs:

app_send_indexer1 - (should not use props.conf for specific sourcetype specified defined in app "app_send_indexer2 ")

outputs.conf

[tcpout]
indexAndForward = 0
defaultGroup = indexer1

[tcpout:indexer1]
server = xxx1

 

app_send_indexer2 - (should use props.conf  for specific sourcetype)

outputs.conf

[tcpout:indexer2] 
server = xxx2

props.conf --> should not used in general!!!

[mysource]
TRANSFORMS-test = myfield

 

transforms.conf

[my_field]

some data extraction

 

How is it possible to fix the problem as i only need the extraction on one indexer?

 

Thank yo much.

Regards,

Christoph

0 Karma
Reply

codebuilder
Influencer
‎08-23-2021 11:17 AM

You mentioned "props.conf --> should not used in general!!!" in your reply.

You cannot use one without the other, they work together.

And again, I think you really need these on the search head(s), not the indexers.

This might be helpful:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Indextimeversussearchtime

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...