Getting Data In

What is the minimal outputs.conf for a forwarder?

ddrillic
Ultra Champion

We use the following just fine -

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = <indexer>:9997

The admin guide for the certification also mentions -

 [tcpout-server://x.x.x.x:9997]

Is it needed?

Tags (2)
0 Karma
1 Solution

sudosplunk
Motivator

[tcpout-server://x.x.x.x] is just a more specific way of defining destination host(indexer). Both definitions will work fine but [tcpout-server://x.x.x.x] will take precedence.

Per docs,

############
TCP Output stanzas
############
# There are three levels of TCP Output stanzas:
# * Global: [tcpout]
# * Target group: [tcpout:<target_group>]
# * Single server: [tcpout-server://<ip address>:<port>]
#
# Settings at more specific levels override settings at higher levels. For
# example, an attribute set for a single server overrides the value of that
# attribute, if any, set at that server's target group stanza. See the
# online documentation on configuring forwarders for details.
#
# This spec file first describes the three levels of stanzas (and any
# attributes unique to a particular level).  It then describes the optional
# attributes, which can be set at any  of the three levels.


#----TCP Output Global Configuration -----
# The global configurations specified here in the [tcpout] stanza can be
# overwritten in stanzas for specific target groups, as described later.
# Note that the defaultGroup and indexAndForward attributes can only be set
# here, at the global level.
#
# Starting with 4.2, the [tcpout] stanza is no longer required.

View solution in original post

0 Karma

sudosplunk
Motivator

[tcpout-server://x.x.x.x] is just a more specific way of defining destination host(indexer). Both definitions will work fine but [tcpout-server://x.x.x.x] will take precedence.

Per docs,

############
TCP Output stanzas
############
# There are three levels of TCP Output stanzas:
# * Global: [tcpout]
# * Target group: [tcpout:<target_group>]
# * Single server: [tcpout-server://<ip address>:<port>]
#
# Settings at more specific levels override settings at higher levels. For
# example, an attribute set for a single server overrides the value of that
# attribute, if any, set at that server's target group stanza. See the
# online documentation on configuring forwarders for details.
#
# This spec file first describes the three levels of stanzas (and any
# attributes unique to a particular level).  It then describes the optional
# attributes, which can be set at any  of the three levels.


#----TCP Output Global Configuration -----
# The global configurations specified here in the [tcpout] stanza can be
# overwritten in stanzas for specific target groups, as described later.
# Note that the defaultGroup and indexAndForward attributes can only be set
# here, at the global level.
#
# Starting with 4.2, the [tcpout] stanza is no longer required.
0 Karma

ddrillic
Ultra Champion

Very interesting.

What do they mean when saying -

Starting with 4.2, the [tcpout] stanza is no longer required.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Before v 4.2, you need to specify which tcpout:target_group to be used by default (using defaultGroup attribute) in tcpout stanza. With 4.2+ version, you don't have to specify defaultGroup attribute if there is only one tcpout:target_group (it detects it automatically).

ddrillic
Ultra Champion

Are you saying that all that I need in outputs.conf is (assuming one group) ? -

[tcpout:indexers]
server = <indexer>:9997
0 Karma

sudosplunk
Motivator

That's right.

Please note: If you have more than one groups as below, then splunk will send events to defaultGroup (indexers_group1) if _TCP_ROUTING is not specified for data inputs in inputs.conf

[tcpout]
defaultGroup = indexers_group1

[tcpout:indexers_group1]
server = <indexer1>:9997

[tcpout:indexers_group2]
server = <indexer2>:9997

### inputs.conf ###

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
  The tcpout group names are defined in outputs.conf with
  [tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
  outputs.conf.
* To forward data to all tcpout group names that have been defined in
  outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
  set to either "*" or a specific splunktcp target group.
0 Karma

ddrillic
Ultra Champion

Gorgeous !

0 Karma

sudosplunk
Motivator

Let me know if this helped you. I will convert my comment into answer.

0 Karma

ddrillic
Ultra Champion

Please convert @nittala_surya.

0 Karma

sudosplunk
Motivator

Done. Thanks!

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...