Splunk Enterprise

How can I route data from Universal forwarders to different indexers based on TCP input?

Sanjayr1081
Explorer

Hi All,

I have a UF installed on a syslog server. Already network clients are sending data to syslog server and UF forwards/taking it to indexer 1.

Now another application want to send data to the same syslog sever on which UF is installed.

But this application data has to go to different indexer [Example: indexer_new].

{Note: Both these indexers (indexer 1 and indexer_new are not in same cluster. They are placed separately].

This network data is coming on  tcp port 1515 and application data is coming on tcp port 1517.

I have seen some answers to route it with _TCP_ROUTING_ to two different indexers based on data input. But in this case this is not based on file or log path. This is based on TCP input [for TCP input we don't have any path for log].

Existing input [Under /opt/splunk-fwd/etc/apps/syslog_3n/default/inputs.conf]:

----------

[tcp://localhost:1515]
queueSize = 512MB
connection_host = ip
sourcetype = network_syslog
index = network_sys

 

"Now i want to know how to route the new application data coming to UF on port 1517 to the indexer_new and existing network data should continues to go to indexer 1"?

Thanks for you reply in Advance🙂!!

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is an interesting setup.  Splunk recommends applications send syslog data to a syslog server and that server writes the data to disk files.  The UF monitors those disk files and forwards data as it arrives.  Sending directly to a Splunk TCP/UDP port has been discouraged for a while because it can lead to data loss.

If the syslog server was writing to disk then the UF would be able to forward to different indexers using the procedures you've already identified.

---
If this reply helps you, Karma would be appreciated.

Sanjayr1081
Explorer

Hi @richgalloway ,

I am not able to find the file where the syslog server writes the data from incoming tcp inputs. Any idea, under which path the data files/disk files will be stored?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The location is defined in your syslog server config.  The exact location will depend on which software you use.  For syslog-ng, it's a "destination" setting.

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

As you have syslog server running and receiving data, I suppose that the easiest way it configure it to write those files based on input ports under e.g. /var/syslog/indexer1 and /var/syslog/indexer_new hierarchies. Then just read those as regular files and use your described way to select correct indexer where to send those. 

Another way especially if those UFs are configured by DS and separate DS based on indexer where you are sending events, you should run two separate UF with assigned to two DS to get correct configurations by organisations. But this should be option only if there are two separate management for those DS.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...