hello,
i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party.
my inputs.conf looks like this
[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false
[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1
my outputs.conf is the following
[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536
[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300
[tcpout:heavyforwarder]
defaultGroup = heavy1
[tcpout:heavy1]
server = serverip:serverport
does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work.
cheers in advance
There are two stanzas by the same name. Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first. The outcome looks like this:
[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1
That would explain why no data is sent to the indexers.
So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.
Hi @willsy ,
I know this is an old topic but did you find any solution for this ? I have to send data in XML to a third party and maintain the data flow to Splunk indexers.
It is possible to separate the "renderXML=true" command and "renderXML=false" in some way?
Thank you,
Hi @dc17! Kara here, Splunk Community Manager. Thanks for following up on this question from 2020, but I recommend posting it as a brand new question so that it can get more visibility. Cheers!