Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to send same source data to two different logical indexes and two different indexers groups.

arunsunny
Path Finder
‎09-20-2017 06:41 AM

Hi All,

Facing few challlenges, mine is playing around with the same transforms.

I'm trying to achieve the same source data to forward to two different logical indexes and two different indexers groups.

Below is my senrio.

In props.conf used

[source::Dual_Data_Testing]
TRANSFORMS-source = Stan1, Stan2

In transforms.conf

[Stan1]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index1
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup1

[Stan2]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index2
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup2

Currently the above conf is not working.

Please any suggestion can we workaround for this ?

Thanks,
Arun Sunny

0 Karma
Reply

sbbadri
Motivator
‎09-20-2017 07:12 AM

try this

inputs.conf
[monitor://filepath1]
index=index1
_TCP_ROUTING = indexergroup1

[monitor://filepath1]
index=index2
_TCP_ROUTING = indexergroup2

Outputs.conf

[tcpout:indexergroup1]
server=server1:9997

[tcpout:indexergroup2]
server=server2:9997

0 Karma
Reply

arunsunny
Path Finder
‎09-20-2017 09:28 AM

Actually, I was trying for one of the DB input sources, so I cant duplicate the monitor stanza in inputs.conf

Thanks,

0 Karma
Reply

arunsunny
Path Finder
‎09-21-2017 09:04 AM

And I believe we can play around only once in _MetaData key values in transforms.conf .

0 Karma
Reply

sbbadri
Motivator
‎09-21-2017 11:23 AM

yeah thus why i have two different sourcetype for a source. But you mentioned that it is writing to only one sourcetype. May be you can try one with _TCP_ROUTING and another with _SYSLOG_ROUTING.

Check the below link,
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad
Topic: Replicate a subset of data to a third-party system

0 Karma
Reply

sbbadri
Motivator
‎09-20-2017 12:02 PM

try this,

#props.conf
[source::Dual_Data_Testing]
sourcetype=sourcetype1

[source::Dual_Data_Testing]
sourcetype=sourcetype2

[sourcetype1]
TRANSFORMS-index_outputgroup1 = overrideindex1,outputgroup1

[sourcetype2]
TRANSFORMS-index_outputgroup2 = overrideindex2,outputgroup2

Transforms.conf

[overrideindex1]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index1

[overrideindex2]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index2

[outputgroup1]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=outputgroup11

[outputgroup2]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=outputgroup22

Outputs.conf

[tcpout:outputgroup11]
server=server1:9997

[tcpout:outputgroup22]
server=server1:9997

0 Karma
Reply

arunsunny
Path Finder
‎09-21-2017 01:57 AM

Its working fine for one output group and other is completely stopped sending events 😞 .

0 Karma
Reply

sbbadri
Motivator
‎09-21-2017 07:47 AM

Did you check data is writing on both the index and sourcetype.

0 Karma
Reply

arunsunny
Path Finder
‎09-21-2017 07:53 AM

Yes, I checked. It's writing only to the first index and passing the same to group1 indexers.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 07:03 AM

Hi arunsunny,
do you want to send all logs to:

  • both the indexers groups,
  • selectively some logs to one group, some other to another group and some logs to both the groups?

if the first, you don't need to configure props and transforms, you have only to configure outputs.conf

[tcpout:Group1]
defaultGroup = default-autolb-group

[tcpout-server://xx.xxx.xxx.xx:9997]
[tcpout-server://yy.yyy.yyy.yy:9997]

[tcpout:default-autolb-group]
server = xx.xxx.xxx.xx:9997, yy.yyy.yyy.yy:9997
disabled = false

[tcpout:Group2]
server=aa.aaa.aaa.aa:9997, bb.bbb.bbb.bb:9997
disabled = false

[tcpout-server://aa.aaa.aaa.aa:9997]
[tcpout-server://bb.bbb.bbb.bb:9997]

If the second, follow http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
In other words you have to configure an outputs.conf as above and in every inputs.conf stanza put:

  • _TCP_ROUTING=Group1 for logs to send only to Indexers Group1
  • _TCP_ROUTING=Group2 for logs to send only to Indexers Group2
  • nothing for logs to send to both the Indexers Groups

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...