- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can I have two apps that have two different indexe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I have two apps that have two different indexers and indexes for the SAME Windows Event Log monitor stanza?
I have an app with an inputs.conf that has a stanza for [WinEventLog://Microsoft-Security-Logs] to an index and uses _TCP_ROUTING to make sure the events go to the correct indexer.
I have a group that runs their own splunk environment and wants their data sent to their own index/indexers, but I still need it as well. I would like to create a second app with another [WinEventLog://Microsoft-Security-Logs] stanza that sends the same information to their servers as well.
I don't see any facility for having two of the same inputs.conf stanzas, even in two different apps. It seems like the configurations are merged and the last variable read takes precedence.
Is there a way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to create another tcp group in outputs.conf and then add that group to your _TCP_ROUTING setting in your inputs.
It sounds like you already have a tcpout group created for your indexers. So just create another for the other splunk environment. The _TCP_ROUTING setting in inputs.conf accepts a comma-delimited list of those groups, so just add that new group to the list. At that point, the eventlog data should get routed to both groups/environments.
If the other environment needs it in a different index, then they should be able to update their props.conf to set the right index before indexing on their side.
[tcpout:<target_group>]
server = [<ip>|<servername>]:<port>, [<ip>|<servername>]:<port>, ...
* Required if indexerDiscovery is not set.
* Takes a comma separated list of one or more systems to send data to over a
tcp socket.
* Typically used to specify receiving splunk systems, although it can be
used to send data to non-splunk systems (see sendCookedData setting).
* For each mentioned system, the following are required:
* IP or servername where one or system is listening.
* Port on which syslog server is listening.
_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
The tcpout group names are defined in outputs.conf with
[tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
outputs.conf.
* To forward data to all tcpout group names that have been defined in
outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
set to either "*" or a specific splunktcp target group.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
