Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

universal forwarder with more than one outputs.conf

mamaral
Path Finder
‎04-13-2011 06:21 PM

I need to figure mine collection of universal forwarders to sent information to distinct tcp ports...

Basicaly:

*NIX sending to indexer on port 7700

Input A sending to indexer on port 7701

Input B sending to indexer on port 7702

and etc..

Could someone please help me?

Thanks

Amaral

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-14-2011 04:45 AM

There's rarely a point in doing this. You can just send them all to the same port. The Splunk forwarding protocol includes identification of the source host (and the source file, the destination index, and other things) so there's usually not any need or advantage to using more than one port.

But if you really did need this for some reason (e.g., you're running multiple instances of Splunk on the host on different ports, or simply different hosts), you'd simply add a _TCP_ROUTING key to the inputs clause:

_TCP_ROUTING = destA

where destA is just the name of the output group in outputs.conf, e.g. destA in [tcpout:destA]

Reply

Rob
Splunk Employee
Splunk Employee
‎04-13-2011 07:20 PM

I am not quite sure what you are looking to do. But if you are looking to configure a Universal Forwarder to forward all data to 3 different indexers for specific ports then you will want to create a stanza for each indexer in your outputs.conf file like this:

[tcpout]
defaultGroup=*

[tcpout:Nix]
server = xxx.xxx.xxx.xxx:7700

[tcpout:inputA]
server = xxx.xxx.xxx.xxx:7701

[tcpout:inputB]
server = xxx.xxx.xxx.xxx:7702

If you want some additional information from the Splunk documentation, here is a link for cloning data across indexes and here is a link for forwarding data to indexes.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...