Solved: Re: winEventLogs and perfmon data inputs _TCP_ROUT...

aholzer · ‎11-01-2013

I am using the _TCP_ROUTING attribute in my inputs.conf. When used with a winEventLogs and perfmon stanza it seems to ignore this attribute. It works fine with the monitor stanza. Is there some other definition I need to do in outputs.conf or some other attribute I need to use in the inputs.conf to get this to work?

== My configurations ==

I have the following outputs.conf:

[tcpout:APP_ENV]
server = myserver.prod:9997

[tcpout:INFRA]
server = myserver.infra:9997

I have the following inputs.conf:

[monitor://C:\my\windows\path\logs\mylog.log]
sourcetype = myST
index = myIndex
disabled = false
_TCP_ROUTING = APP_ENV

[perfmon://Processor]
object = Processor
counters = % Processor Time;% User Time
instances = _Total
interval = 5
disabled = 0
index=main
_TCP_ROUTING = INFRA

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
_TCP_ROUTING = INFRA

The monitor stanza properly gets sent to my APP_ENV tcpout grouping (in other words: myserver.prod:9997)
While my other two stanzas act as if data cloning is configured for them and sends data to both APP_ENV and INFRA.

Assistance is greatly appreciated.

=== UPDATE ===

I just created another [tcpout:...] stanza in my outputs.conf to test whether the behavior was in fact data cloning across all tcpout groups. The perfmon and wineventlogs did in fact get sent to all tcpout groups as if data cloning had been configured.

Is this a bug? Or is there another attribute that I can set in either inputs.conf or outputs.conf to get it to do the behavior I wanted?

bpaul_splunk · ‎12-30-2014

In version 6.0 modular inputs were added to Splunk. The modular inputs do not yet support the _TCP_ROUTING option. The bug filed to track this issue is SPL-79421. Engineering has been working toward a resolution and we expect a fix in an upcoming release.

A workaround is to set the default receiver in outputs.conf for your modular inputs. Then in inputs.conf you may use _TCP_ROUTING on your monitored data.

View solution in original post

bpaul_splunk · ‎12-30-2014

In version 6.0 modular inputs were added to Splunk. The modular inputs do not yet support the _TCP_ROUTING option. The bug filed to track this issue is SPL-79421. Engineering has been working toward a resolution and we expect a fix in an upcoming release.

A workaround is to set the default receiver in outputs.conf for your modular inputs. Then in inputs.conf you may use _TCP_ROUTING on your monitored data.

dchodur · ‎01-09-2014

Did you ever get this resolved? I am seeing the same issue with updating my UF to 6.0. My Windows Logs are not routing to the correct place and being filtered. Thanks.

aholzer · ‎01-16-2014

Cool, thanks for the heads up. Let me know if/when you get a response/solution from them

dchodur · ‎01-13-2014

Opened case and Splunk was able to reproduce the issue and submitted a bug. Thought I would let you know. In mean time I have adjusted my environment and routing to allow us to continue to collect data and parse at the indexers instead of a HF.

dchodur · ‎01-09-2014

I am using 6.0 as well. Was working and broke when updated. Not seeing a fix. Guess need to open a case to have splunk look into it.

aholzer · ‎01-09-2014

No I did not get it resolved. It's still an open issue. Just to confirm I'm also using 6.0 UF.

winEventLogs and perfmon data inputs _TCP_ROUTING

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM