Monitoring Splunk

_TCP_ROUTING not exclusive?

dmesler
Explorer

I want to add monitoring of a file and have it forwarded to a splunk server separate than my usual indexers. So I added

[monitor:///new/file]

_TCP_ROUTING=testGroup

to my inputs. It's indexing on the server listed in testGroup just fine. BUT it's also still forwarding to my defaultGroup. How can I forward this particular file to just the testGroup, and not defaultGroup?

Tags (1)

chicodeme
Communicator

Typically you need a default group for that:
Add this to your outputs.conf
[tcpout]
defaultGroup=nothing
disabled = false
indexAndForward = true

http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Forwarddatatothird-partysystemsd
"Note: If you want to forward only the data specifically identified in props.conf and transforms.conf, set defaultGroup=nothing."

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...