Getting Data In

UF - Route inputs to specific indexers based on the data's input

Path Finder

I have a UF running at version 6.0.4. I have configured an inputs.conf value to route to a different indexer. The UF isn't honoring the statements in the inputs.conf and outputs.conf. This should work per the data @ http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Outputs.conf:

[tcpout] 
indexAndForward = true 
disabled = false 
defaultGroup=indexer1-11 

[tcpout:indexer1] 
maxConnectionsPerIndexer = 1 
autoLB = true 
autoLBFrequency = 60 
server = xx.xx.51.109:9997

[tcpout:indexerdev] 
server = xx.xx.144.235:9996 
sendCookedData = true 
dropEventsOnQueueFull = 60 

inputs.conf

[WinEventLog:Security] 
disabled = 0 
start_from = oldest 
current_only = 0 
evt_resolve_ad_obj = 1 
checkpointInterval = 5 
index = sys_sec_nonprod 
_TCP_ROUTING = indexerdev 

[WinEventLog://Security] 
checkpointInterval = 5 
current_only = 0 
disabled = 0 
evt_resolve_ad_obj = 1 
index = sys_sec_nonprod 
start_from = oldest 
_TCP_ROUTING = indexerdev 

Yes, there are duplicate statements in the inputs.conf. I don't believe that is the core issue. Both are set to route using TCPROUTING. Am I missing something?

Tags (2)
0 Karma
1 Solution

Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(*, _meta or _TCPROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows TCPROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom TCPROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

Splunk Employee
Splunk Employee

This issue (SPL-79421) has been resolved in Splunk 6.3 and is incorporated in Splunk 6.4.
You can get the latest Splunk release from: https://www.splunk.com/en_us/download/splunk-enterprise.html

Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(*, _meta or _TCPROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows TCPROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom TCPROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

Path Finder

I see starting with 4.2, this attribute is no longer required. Thanks for the input. How does a UF know where to send data unless one is specified? I could remove the defaultGroup and then route to a destination based on changes to inputs.conf. This would be a little bit of work, and the outputs.conf.spec file shows that this can be overriden with the TCPROUTING setting.

[tcpout]
defaultGroup = , , ...
Comma-separated list of one or more target group names, specified later in [tcpout:] stanzas.
The forwarder sends all data to the specified groups.
If you don't want to forward data automatically, don't set this attribute.
Can be overridden by an inputs.conf TCPROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* Starting with 4.2, this attribute is no longer required.

0 Karma

SplunkTrust
SplunkTrust

Do it like in the docs example provided, set _TCP_ROUTING in inputs.conf

0 Karma

SplunkTrust
SplunkTrust

Starting with Splunk 4.2, defaultGroup attribute is no longer required.

0 Karma