Getting Data In

UF - Route inputs to specific indexers based on the data's input

lisaac
Path Finder

I have a UF running at version 6.0.4. I have configured an inputs.conf value to route to a different indexer. The UF isn't honoring the statements in the inputs.conf and outputs.conf. This should work per the data @ http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Outputs.conf:

[tcpout] 
indexAndForward = true 
disabled = false 
defaultGroup=indexer1-11 

[tcpout:indexer1] 
maxConnectionsPerIndexer = 1 
autoLB = true 
autoLBFrequency = 60 
server = xx.xx.51.109:9997

[tcpout:indexerdev] 
server = xx.xx.144.235:9996 
sendCookedData = true 
dropEventsOnQueueFull = 60 

inputs.conf

[WinEventLog:Security] 
disabled = 0 
start_from = oldest 
current_only = 0 
evt_resolve_ad_obj = 1 
checkpointInterval = 5 
index = sys_sec_nonprod 
_TCP_ROUTING = indexerdev 

[WinEventLog://Security] 
checkpointInterval = 5 
current_only = 0 
disabled = 0 
evt_resolve_ad_obj = 1 
index = sys_sec_nonprod 
start_from = oldest 
_TCP_ROUTING = indexerdev 

Yes, there are duplicate statements in the inputs.conf. I don't believe that is the core issue. Both are set to route using _TCP_ROUTING. Am I missing something?

Tags (2)
0 Karma
1 Solution

MarioM
Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

View solution in original post

vsheridan_splun
Splunk Employee
Splunk Employee

This issue (SPL-79421) has been resolved in Splunk 6.3 and is incorporated in Splunk 6.4.
You can get the latest Splunk release from: https://www.splunk.com/en_us/download/splunk-enterprise.html

MarioM
Motivator

There is the below known issue as per release notes:
Modular inputs, including perfmon and WinEventLog inputs are not passing the custom metadata fields
(_*, _meta or _TCP_ROUTING) (SPL-79421) .

http://docs.splunk.com/Documentation/Splunk/6.0.4/ReleaseNotes/KnownIssues

The workaround is to setup the Windows _TCP_ROUTING at the default level for all inputs in .../system/local/inputs.conf

[default]
_TCP_ROUTING=mywindowsdestinationtcpout

and use custom _TCP_ROUTING for non windows inputs (not Modular inputs)

[monitor://path/to/my/file]
_TCP_ROUTING=myotherdestinationtcpout

lisaac
Path Finder

I see starting with 4.2, this attribute is no longer required. Thanks for the input. How does a UF know where to send data unless one is specified? I could remove the defaultGroup and then route to a destination based on changes to inputs.conf. This would be a little bit of work, and the outputs.conf.spec file shows that this can be overriden with the _TCP_ROUTING setting.

[tcpout]
defaultGroup = , , ...
Comma-separated list of one or more target group names, specified later in [tcpout:] stanzas.
The forwarder sends all data to the specified groups.
If you don't want to forward data automatically, don't set this attribute.
Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a
props.conf/transforms.conf modifier.
* Starting with 4.2, this attribute is no longer required.

0 Karma

MuS
SplunkTrust
SplunkTrust

Do it like in the docs example provided, set _TCP_ROUTING in inputs.conf

0 Karma

MuS
SplunkTrust
SplunkTrust

Starting with Splunk 4.2, defaultGroup attribute is no longer required.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...