Regarding apps, forwarders, and indexers.... 80 apps on 9 clustered HF's receiving from 10,000 UF's feeding 6 indexers. Don't want to route ONLY to Syslog. In my originally posted configs the long line of servers in outputs.conf (server=*****) was simply commented out. At the end of this conf was what I thought was the "additional" route statement that would handle this.
Maybe the problem is not with my outputs.conf, but rather with the other configs. Or the fact that my inputs.conf is simply a listener for the 10,000 UF's. Since indexing does not occur until further down the line, there is no "content", simply receive and forward. Am I over thinking this 😞
INTPUTS.CONF
[splunktcp-ssl:11001]
compressed=true
sslVersions = *,-ssl
queueSize = 128MB
persistentQueueSize = 30GB
disabled = false
... View more