Getting Data In

UF - Route inputs to specific indexers based on the data's input

lisaac
Path Finder

I have a UF running at version 6.0.4. I have configured an inputs.conf value to route to a different indexer. The UF isn't honoring the statements in the inputs.conf and outputs.conf. This should work per the data @ http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Outputs.conf:

[tcpout] 
indexAndForward = true 
disabled = false 
defaultGroup=indexer1-11 

[tcpout:indexer1] 
maxConnectionsPerIndexer = 1 
autoLB = true 
autoLBFrequency = 60 
server = xx.xx.51.109:9997

[tcpout:indexerdev] 
server = xx.xx.144.235:9996 
sendCookedData = true 
dropEventsOnQueueFull = 60 

inputs.conf

[WinEventLog:Security] 
disabled = 0 
start_from = oldest 
current_only = 0 
evt_resolve_ad_obj = 1 
checkpointInterval = 5 
index = sys_sec_nonprod 
_TCP_ROUTING = indexerdev 

[WinEventLog://Security] 
checkpointInterval = 5 
current_only = 0 
disabled = 0 
evt_resolve_ad_obj = 1 
index = sys_sec_nonprod 
start_from = oldest 
_TCP_ROUTING = indexerdev 

Yes, there are duplicate statements in the inputs.conf. I don't believe that is the core issue. Both are set to route using _TCP_ROUTING. Am I missing something?

Tags (2)
0 Karma
1 Solution

MarioM
Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

vsheridan_splun
Splunk Employee
Splunk Employee

This issue (SPL-79421) has been resolved in Splunk 6.3 and is incorporated in Splunk 6.4.
You can get the latest Splunk release from: https://www.splunk.com/en_us/download/splunk-enterprise.html

MarioM
Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

lisaac
Path Finder

I see starting with 4.2, this attribute is no longer required. Thanks for the input. How does a UF know where to send data unless one is specified? I could remove the defaultGroup and then route to a destination based on changes to inputs.conf. This would be a little bit of work, and the outputs.conf.spec file shows that this can be overriden with the _TCP_ROUTING setting.

[tcpout]
defaultGroup = , , ...
Comma-separated list of one or more target group names, specified later in [tcpout:] stanzas.
The forwarder sends all data to the specified groups.
If you don't want to forward data automatically, don't set this attribute.
Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* Starting with 4.2, this attribute is no longer required.

0 Karma

MuS
Legend

Do it like in the docs example provided, set _TCP_ROUTING in inputs.conf

0 Karma

MuS
Legend

Starting with Splunk 4.2, defaultGroup attribute is no longer required.

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...