Hi Splunkers,
I've a situation where _TCP_ROUTING setting in inputs.conf is not being honored by splunk. Here is my architecture and related config files.
HF --> Indexer cluster
On HF, $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint/local/opseclea_inputs.conf:
[FirewallEvents]
_TCP_ROUTING = fw_cluster
On HF, $SPLUNK_HOME/etc/apps/route_outputs/local/outpus.conf:
[tcpout]
indexAndForward = false
defaultGroup = main_cluster
autoLBFrequency = 15
[tcpout:main_cluster]
server = mainIDX1:9997,mainIDX2:9997,mainIDX3:9997,mainIDX4:9997
useACK = true
maxQueueSize = 7MB
[tcpout:fw_cluster]
server = fwIDX1:9997,fwIDX2:9997,fwIDX3:9997,fwIDX4:9997
useACK = true
maxQueueSize = 7MB
Events are still being routed to main_cluster instead of fw_cluster . This kind of routing is working for other data sources coming through UFs.
I've already reviewed metrics.log and splunkd.log and validated HF is making TCPInput connections to indexers (fw_cluster).
Any advise on troubleshooting is appreciated.
... View more