Getting Data In

winEventLogs and perfmon data inputs _TCP_ROUTING

Motivator

I am using the TCPROUTING attribute in my inputs.conf. When used with a winEventLogs and perfmon stanza it seems to ignore this attribute. It works fine with the monitor stanza. Is there some other definition I need to do in outputs.conf or some other attribute I need to use in the inputs.conf to get this to work?

== My configurations ==

I have the following outputs.conf:

[tcpout:APP_ENV]
server = myserver.prod:9997

[tcpout:INFRA]
server = myserver.infra:9997

I have the following inputs.conf:

[monitor://C:\my\windows\path\logs\mylog.log]
sourcetype = myST
index = myIndex
disabled = false
_TCP_ROUTING = APP_ENV

[perfmon://Processor]
object = Processor
counters = % Processor Time;% User Time
instances = _Total
interval = 5
disabled = 0
index=main
_TCP_ROUTING = INFRA

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
_TCP_ROUTING = INFRA

The monitor stanza properly gets sent to my APPENV tcpout grouping (in other words: myserver.prod:9997)
While my other two stanzas act as if data cloning is configured for them and sends data to both APP
ENV and INFRA.

Assistance is greatly appreciated.

=== UPDATE ===

I just created another [tcpout:...] stanza in my outputs.conf to test whether the behavior was in fact data cloning across all tcpout groups. The perfmon and wineventlogs did in fact get sent to all tcpout groups as if data cloning had been configured.

Is this a bug? Or is there another attribute that I can set in either inputs.conf or outputs.conf to get it to do the behavior I wanted?

1 Solution

Splunk Employee
Splunk Employee

In version 6.0 modular inputs were added to Splunk. The modular inputs do not yet support the TCPROUTING option. The bug filed to track this issue is SPL-79421. Engineering has been working toward a resolution and we expect a fix in an upcoming release.

A workaround is to set the default receiver in outputs.conf for your modular inputs. Then in inputs.conf you may use TCPROUTING on your monitored data.

View solution in original post

Splunk Employee
Splunk Employee

In version 6.0 modular inputs were added to Splunk. The modular inputs do not yet support the TCPROUTING option. The bug filed to track this issue is SPL-79421. Engineering has been working toward a resolution and we expect a fix in an upcoming release.

A workaround is to set the default receiver in outputs.conf for your modular inputs. Then in inputs.conf you may use TCPROUTING on your monitored data.

View solution in original post

Path Finder

Did you ever get this resolved? I am seeing the same issue with updating my UF to 6.0. My Windows Logs are not routing to the correct place and being filtered. Thanks.

0 Karma

Motivator

Cool, thanks for the heads up. Let me know if/when you get a response/solution from them

0 Karma

Path Finder

Opened case and Splunk was able to reproduce the issue and submitted a bug. Thought I would let you know. In mean time I have adjusted my environment and routing to allow us to continue to collect data and parse at the indexers instead of a HF.

0 Karma

Path Finder

I am using 6.0 as well. Was working and broke when updated. Not seeing a fix. Guess need to open a case to have splunk look into it.

0 Karma

Motivator

No I did not get it resolved. It's still an open issue. Just to confirm I'm also using 6.0 UF.

0 Karma