Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

UF - Route inputs to specific indexers based on the data's input

lisaac
Path Finder
‎10-01-2014 05:44 AM

I have a UF running at version 6.0.4. I have configured an inputs.conf value to route to a different indexer. The UF isn't honoring the statements in the inputs.conf and outputs.conf. This should work per the data @ http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Outputs.conf: 

[tcpout] 
indexAndForward = true 
disabled = false 
defaultGroup=indexer1-11 

[tcpout:indexer1] 
maxConnectionsPerIndexer = 1 
autoLB = true 
autoLBFrequency = 60 
server = xx.xx.51.109:9997

[tcpout:indexerdev] 
server = xx.xx.144.235:9996 
sendCookedData = true 
dropEventsOnQueueFull = 60

inputs.conf 

[WinEventLog:Security] 
disabled = 0 
start_from = oldest 
current_only = 0 
evt_resolve_ad_obj = 1 
checkpointInterval = 5 
index = sys_sec_nonprod 
_TCP_ROUTING = indexerdev 

[WinEventLog://Security] 
checkpointInterval = 5 
current_only = 0 
disabled = 0 
evt_resolve_ad_obj = 1 
index = sys_sec_nonprod 
start_from = oldest 
_TCP_ROUTING = indexerdev

Yes, there are duplicate statements in the inputs.conf. I don't believe that is the core issue. Both are set to route using _TCP_ROUTING. Am I missing something?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-01-2014 07:04 AM

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

Reply
Solved! Jump to solution

vsheridan_splun
Splunk Employee
Splunk Employee
‎07-21-2016 09:29 AM

This issue (SPL-79421) has been resolved in Splunk 6.3 and is incorporated in Splunk 6.4.
You can get the latest Splunk release from: https://www.splunk.com/en_us/download/splunk-enterprise.html

Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-01-2014 07:04 AM

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout
Reply
Solved! Jump to solution

lisaac
Path Finder
‎10-01-2014 06:15 AM

I see starting with 4.2, this attribute is no longer required. Thanks for the input. How does a UF know where to send data unless one is specified? I could remove the defaultGroup and then route to a destination based on changes to inputs.conf. This would be a little bit of work, and the outputs.conf.spec file shows that this can be overriden with the _TCP_ROUTING setting.

[tcpout]
defaultGroup = , , ...
Comma-separated list of one or more target group names, specified later in [tcpout:] stanzas.
The forwarder sends all data to the specified groups.
If you don't want to forward data automatically, don't set this attribute.
Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* Starting with 4.2, this attribute is no longer required.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-01-2014 06:22 AM

Do it like in the docs example provided, set _TCP_ROUTING in inputs.conf

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-01-2014 05:59 AM

Starting with Splunk 4.2, defaultGroup attribute is no longer required.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...