Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

UF - Route inputs to specific indexers based on the data's input

lisaac
Path Finder
‎10-01-2014 05:44 AM

I have a UF running at version 6.0.4. I have configured an inputs.conf value to route to a different indexer. The UF isn't honoring the statements in the inputs.conf and outputs.conf. This should work per the data @ http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Outputs.conf: 

[tcpout] 
indexAndForward = true 
disabled = false 
defaultGroup=indexer1-11 

[tcpout:indexer1] 
maxConnectionsPerIndexer = 1 
autoLB = true 
autoLBFrequency = 60 
server = xx.xx.51.109:9997

[tcpout:indexerdev] 
server = xx.xx.144.235:9996 
sendCookedData = true 
dropEventsOnQueueFull = 60

inputs.conf 

[WinEventLog:Security] 
disabled = 0 
start_from = oldest 
current_only = 0 
evt_resolve_ad_obj = 1 
checkpointInterval = 5 
index = sys_sec_nonprod 
_TCP_ROUTING = indexerdev 

[WinEventLog://Security] 
checkpointInterval = 5 
current_only = 0 
disabled = 0 
evt_resolve_ad_obj = 1 
index = sys_sec_nonprod 
start_from = oldest 
_TCP_ROUTING = indexerdev

Yes, there are duplicate statements in the inputs.conf. I don't believe that is the core issue. Both are set to route using _TCP_ROUTING. Am I missing something?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-01-2014 07:04 AM

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

Reply
Solved! Jump to solution

vsheridan_splun
Splunk Employee
Splunk Employee
‎07-21-2016 09:29 AM

This issue (SPL-79421) has been resolved in Splunk 6.3 and is incorporated in Splunk 6.4.
You can get the latest Splunk release from: https://www.splunk.com/en_us/download/splunk-enterprise.html

Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-01-2014 07:04 AM

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout
Reply
Solved! Jump to solution

lisaac
Path Finder
‎10-01-2014 06:15 AM

I see starting with 4.2, this attribute is no longer required. Thanks for the input. How does a UF know where to send data unless one is specified? I could remove the defaultGroup and then route to a destination based on changes to inputs.conf. This would be a little bit of work, and the outputs.conf.spec file shows that this can be overriden with the _TCP_ROUTING setting.

[tcpout]
defaultGroup = , , ...
Comma-separated list of one or more target group names, specified later in [tcpout:] stanzas.
The forwarder sends all data to the specified groups.
If you don't want to forward data automatically, don't set this attribute.
Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* Starting with 4.2, this attribute is no longer required.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-01-2014 06:22 AM

Do it like in the docs example provided, set _TCP_ROUTING in inputs.conf

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-01-2014 05:59 AM

Starting with Splunk 4.2, defaultGroup attribute is no longer required.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...