Re: easy way to change _TCP_ROUTING = * ?????

wegscd · ‎07-21-2016

I'm working on doing some data cloning.

As a first step, outputs.conf (on a virgin 6.4.1 universal forwarder on Windows) looks like this, and all is well.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = splunk-c-ix.local:9997

Data goes to splunk-c-ix just fine.

When I add another output group (even without making it the default or referring to it in any _TCP_ROUTING lines), then _internal output starts going to both groups.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = splunk-c-ix.local:9997

[tcpout:clone-group]
server = splunk-c-hf.local:9997

I dug into it, and found _TCP_ROUTING = * inside the [monitor://...] stanzas inside $SPLUNK_HOME\apps\SplunkUniversalForwarder\defaults\inputs.conf, which accounts for the behaviour.

I was hoping I could just do a blacklist for the _* indexes on the tcpout:clone-group, but the docs indicate that blacklist/whitelist only happens globally.

Is there an easy way to override this besides hunting down all the _TCP_ROUTING = * in the inputs.conf and overriding them in a local\inputs.conf?

gfuente · ‎08-16-2016

Hello

Have you tried to include this, in your system/local/inputs.conf

[default]
_TCP_ROUTING = default-autolb-group

It should override all default settings, to send default inputs just to the default group.

Regards

wegscd · ‎08-16-2016

will try this when I get a chance.

JuGuSm · ‎10-18-2017

Good answer but how to do this when you manage thousands of Universal Forwarder with the Deployment Server?

chris · ‎08-16-2016

This seems to work for most inputs but the _internal inputs remain unchanged this is output from
/opt/splunkforwarder/bin/splunk btool inputs list

[monitor:///opt/splunkforwarder/var/log/splunk/metrics.log]
_TCP_ROUTING = *
_rcvbuf = 1572864
host = myVeryPersonalForwarder
index = _internal

Regards
Chris

wegscd · ‎08-16-2016

make sense that this wouldn't work. The _TCP_ROUTING in a [default] stanza would only be used if _TCP_ROUTING was not specified elsewhere, and _TCP_ROUTING is specified elsewhere, so the [default] one gets ignored.

chris · ‎08-15-2016

Were you able to solve this?

wegscd · ‎08-16-2016

I hadn't receive gfuente's suggestion yet. which looks promising, I will have to see if it can be adapted to a deployment server fed environment (system/local/inputs.conf is not something that can be distributed via DS). That may be the way to go.

Right now, I just added overrides to the _TCP_ROUTING for guilty [monitor://] stanzas in a deployed inputs.conf:

[monitor://C:\Program Files\SplunkUniversalForwarder\etc\splunk.version]
_TCP_ROUTING = default-autolb-group

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log]
_TCP_ROUTING = default-autolb-group

[monitor://C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log]
_TCP_ROUTING = default-autolb-group

It's ugly and a little brittle (will need to watch future versions to see if they add monitor: stanzas, and someone will break me sooner or later by deploying Splunk onto the 😧 drive), but it works.

easy way to change _TCP_ROUTING = * ?????

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel