Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

winEventLogs and XmlWinEventLogs _TCP_ROUTING

willsy
Communicator
‎10-08-2020 07:11 AM

hello, 

i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party. 

my inputs.conf looks like this

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false

[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1

my outputs.conf is the following

[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536

[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300

[tcpout:heavyforwarder]
defaultGroup = heavy1

[tcpout:heavy1]
server = serverip:serverport

does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work. 

cheers in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 08:01 AM

There are two stanzas by the same name.  Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first.  The outcome looks like this:

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1

That would explain why no data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.
Reply

willsy
Communicator
‎10-08-2020 11:46 AM

So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.

0 Karma
Reply

dc17
Explorer
‎09-20-2023 08:09 AM

Hi @willsy , 
I know this is an old topic but did you find any solution for this ?  I have to send data in XML to a third party and maintain the data flow to Splunk indexers. 

It is possible to separate the "renderXML=true" command and "renderXML=false" in some way?

Thank you, 

0 Karma
Reply

KaraD
Community Manager
Community Manager
‎09-20-2023 10:07 AM

Hi @dc17! Kara here, Splunk Community Manager. Thanks for following up on this question from 2020, but I recommend posting it as a brand new question so that it can get more visibility. Cheers!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...