Based on the docs ( http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd#Define_ty... ), I've created this outputs.conf:
me@server:/opt/splunkforwarder> cat etc/apps/dc_global_uf/default/outputs.conf
[tcpout]
defaultGroup = *
indexAndForward = false
[tcpout:group1]
compressed = false
server = work:9997
useACK = true
However, that seems to not work and gives this error:
05-06-2011 23:06:11.174 -0400 ERROR TcpOutputProc - the 'defaultGroup' property contains an invalid group name - * - skipping
Did I read/do something incorrectly, or should the wildcard work?
defaultGroup
can not be a wildcard. It must refer to a specfic group or list of groups, in your example,
defaultGroup = group1
From http://www.splunk.com/base/Documentation/latest/Admin/Outputsconf :
defaultGroup = <target_group>, <target_group>, ...
* Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas.
* The forwarder sends all data to the specified groups.
* Can be set to a name that matches no groups to disable automatic forwarding. For example, "defaultGroup=do_not_forward".
* Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* This attribute is required. The behavior of forwarding without this value is inconsistent across some versions.
defaultGroup
can not be a wildcard. It must refer to a specfic group or list of groups, in your example,
defaultGroup = group1
From http://www.splunk.com/base/Documentation/latest/Admin/Outputsconf :
defaultGroup = <target_group>, <target_group>, ...
* Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas.
* The forwarder sends all data to the specified groups.
* Can be set to a name that matches no groups to disable automatic forwarding. For example, "defaultGroup=do_not_forward".
* Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* This attribute is required. The behavior of forwarding without this value is inconsistent across some versions.
Awesome, thanks!
The other docs you reference were wrong, and have been corrected