Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

winEventLogs and XmlWinEventLogs _TCP_ROUTING

willsy
Communicator
‎10-08-2020 07:11 AM

hello, 

i am trying to send wineventlogs from my machines to my clustered indexer and also send the same event logs but in Xml format to a heavy forwarder for third party. 

my inputs.conf looks like this

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = false

[WinEventLog://security]
disabled = 0
renderXml = true
_TCP_ROUTING = heavy1

my outputs.conf is the following

[tcpout:group1]
indexerDiscovery = idxc1
autoLBVolume = 65536

[indexer_discovery:idxc1]
master_uri = https://serverip:serverport
pass4SymmKey = xxxx
cxn_timeout = 300

[tcpout:heavyforwarder]
defaultGroup = heavy1

[tcpout:heavy1]
server = serverip:serverport

does anyone know why it now does not send to my clustered indexers? know that i did put _TCP_ROUTING = group1 under the non Xml event logs in inputs.conf and still didnt work. 

cheers in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 08:01 AM

There are two stanzas by the same name.  Splunk merges the settings from both stanzas into a single one with the second set of setting overwriting the first.  The outcome looks like this:

[WinEventLog://security]
disabled = 0
index = xxxx
renderXml = true
_TCP_ROUTING = heavy1

That would explain why no data is sent to the indexers.

---
If this reply helps you, Karma would be appreciated.
Reply

willsy
Communicator
‎10-08-2020 11:46 AM

So if thats the case, how do i have two different stanzas when that is the information that i am gathering? That stanza is the location of the information, it is the file path to the information that i need.

0 Karma
Reply

dc17
Explorer
‎09-20-2023 08:09 AM

Hi @willsy , 
I know this is an old topic but did you find any solution for this ?  I have to send data in XML to a third party and maintain the data flow to Splunk indexers. 

It is possible to separate the "renderXML=true" command and "renderXML=false" in some way?

Thank you, 

0 Karma
Reply

KaraD
Community Manager
Community Manager
‎09-20-2023 10:07 AM

Hi @dc17! Kara here, Splunk Community Manager. Thanks for following up on this question from 2020, but I recommend posting it as a brand new question so that it can get more visibility. Cheers!

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...