Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is output stopping all outputs routing when a 3rd party server goes down?

lukessi
Path Finder
‎10-02-2018 07:02 AM

Hi,

I am getting a weird issue. If the syslog server fails, it stops all data being indexed by the default TCP out, and then Splunk fills its buckets and falls over. Am I missing something to set it to continue if it can't connect to a output.

cat outputs.conf

[syslog]

defaultGroup = xxxxx_indexers

[syslog:xxxxx_indexers]

server = xxx.xxx.xxx.xxx:9997

type = tcp

timestampformat = %Y-%m-%dT%T.%S

cat transforms.conf

[mehRouting]

REGEX = .

DEST_KEY = _TCP_ROUTING

FORMAT = xxx_cluster_indexers

[Routing_firewalls]

SOURCE_KEY = MetaData:Sourcetype

REGEX = (fgt_traffic|fgt_utm)

DEST_KEY = _SYSLOG_ROUTING

FORMAT = xxxx_indexers

cat props.conf

[host::xxxxxxx1c]

TRANSFORMS-routing = mehRouting, Routing_firewalls

[host::xxxxxc]

TRANSFORMS-routing = mehRouting, Routing_firewalls

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-02-2018 07:11 AM

Hi @lukessi,

Can you please provide your full configuration from outputs.conf because I can't see xxx_cluster_indexers in your outputs.conf

0 Karma
Reply

lukessi
Path Finder
‎10-02-2018 08:41 AM

confirmed if I loss the 3rd party syslog, it stops forwarding to our indexers as well.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-02-2018 08:44 AM

Based on answer https://answers.splunk.com/answers/556975/how-to-forward-data-from-an-indexer-to-a-3rd-party.html , it looks like known issue when you'll send data to syslog over TCP. Splunk stops sending data to indexers as well when syslog server is down, better to switch it to UDP or raise case with splunk support.

0 Karma
Reply

lukessi
Path Finder
‎10-02-2018 07:19 AM

Ah yes its picked up from the default index app we have...

[tcpout]

useACK = true

defaultGroup = xxx_cluster_indexers

disabled = false

[tcpout:xxx_cluster_indexers]

server = index1:9997,index2:9997

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...