Getting Data In

winEventLogs and XmlWinEventLogs _TCP_ROUTING

willsy
Path Finder

hello, 

i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party. 

my inputs.conf looks like this

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false

[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1

my outputs.conf is the following

[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536

[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300

[tcpout:heavyforwarder]
defaultGroup = heavy1

[tcpout:heavy1]
server = serverip:serverport

does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work. 

cheers in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are two stanzas by the same name.  Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first.  The outcome looks like this:

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1

That would explain why no data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.

willsy
Path Finder

So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...