Solved: What is the minimal outputs.conf for a forwarder?

ddrillic · ‎07-31-2018

We use the following just fine -

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = <indexer>:9997

The admin guide for the certification also mentions -

 [tcpout-server://x.x.x.x:9997]

Is it needed?

sudosplunk · ‎07-31-2018

[tcpout-server://x.x.x.x] is just a more specific way of defining destination host(indexer). Both definitions will work fine but [tcpout-server://x.x.x.x] will take precedence.

Per docs,

############
TCP Output stanzas
############
# There are three levels of TCP Output stanzas:
# * Global: [tcpout]
# * Target group: [tcpout:<target_group>]
# * Single server: [tcpout-server://<ip address>:<port>]
#
# Settings at more specific levels override settings at higher levels. For
# example, an attribute set for a single server overrides the value of that
# attribute, if any, set at that server's target group stanza. See the
# online documentation on configuring forwarders for details.
#
# This spec file first describes the three levels of stanzas (and any
# attributes unique to a particular level).  It then describes the optional
# attributes, which can be set at any  of the three levels.


#----TCP Output Global Configuration -----
# The global configurations specified here in the [tcpout] stanza can be
# overwritten in stanzas for specific target groups, as described later.
# Note that the defaultGroup and indexAndForward attributes can only be set
# here, at the global level.
#
# Starting with 4.2, the [tcpout] stanza is no longer required.

View solution in original post

sudosplunk · ‎07-31-2018

[tcpout-server://x.x.x.x] is just a more specific way of defining destination host(indexer). Both definitions will work fine but [tcpout-server://x.x.x.x] will take precedence.

Per docs,

############
TCP Output stanzas
############
# There are three levels of TCP Output stanzas:
# * Global: [tcpout]
# * Target group: [tcpout:<target_group>]
# * Single server: [tcpout-server://<ip address>:<port>]
#
# Settings at more specific levels override settings at higher levels. For
# example, an attribute set for a single server overrides the value of that
# attribute, if any, set at that server's target group stanza. See the
# online documentation on configuring forwarders for details.
#
# This spec file first describes the three levels of stanzas (and any
# attributes unique to a particular level).  It then describes the optional
# attributes, which can be set at any  of the three levels.


#----TCP Output Global Configuration -----
# The global configurations specified here in the [tcpout] stanza can be
# overwritten in stanzas for specific target groups, as described later.
# Note that the defaultGroup and indexAndForward attributes can only be set
# here, at the global level.
#
# Starting with 4.2, the [tcpout] stanza is no longer required.

ddrillic · ‎07-31-2018

Very interesting.

What do they mean when saying -

Starting with 4.2, the [tcpout] stanza is no longer required.

somesoni2 · ‎07-31-2018

Before v 4.2, you need to specify which tcpout:target_group to be used by default (using defaultGroup attribute) in tcpout stanza. With 4.2+ version, you don't have to specify defaultGroup attribute if there is only one tcpout:target_group (it detects it automatically).

ddrillic · ‎07-31-2018

Are you saying that all that I need in outputs.conf is (assuming one group) ? -

[tcpout:indexers]
server = <indexer>:9997

sudosplunk · ‎07-31-2018

That's right.

Please note: If you have more than one groups as below, then splunk will send events to defaultGroup (indexers_group1) if _TCP_ROUTING is not specified for data inputs in inputs.conf

[tcpout]
defaultGroup = indexers_group1

[tcpout:indexers_group1]
server = <indexer1>:9997

[tcpout:indexers_group2]
server = <indexer2>:9997

### inputs.conf ###

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
  The tcpout group names are defined in outputs.conf with
  [tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
  outputs.conf.
* To forward data to all tcpout group names that have been defined in
  outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
  set to either "*" or a specific splunktcp target group.

ddrillic · ‎07-31-2018

Gorgeous !

sudosplunk · ‎07-31-2018

Let me know if this helped you. I will convert my comment into answer.

ddrillic · ‎07-31-2018

Please convert @nittala_surya.

sudosplunk · ‎07-31-2018

Done. Thanks!

What is the minimal outputs.conf for a forwarder?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...