i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party.
my inputs.conf looks like this
disabled = 0
index = xxxx
renderXml = false
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1
my outputs.conf is the following
indexerDiscovery = idxc1
autoLBVolume = 65536
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300
defaultGroup = heavy1
server = serverip:serverport
does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work.
cheers in advance
There are two stanzas by the same name. Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first. The outcome looks like this:
[WinEventLog://security] disabled = 0 index = xxxx renderXml = true _TCP_ROUTING = heavy1
That would explain why no data is sent to the indexers.
So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.