Can I configure defaultGroup when remotely deployi...

will_paxata · ‎01-12-2015

My issue is that defaultGroup is defaulted to "default-autolb-group" in splunkforwarder/etc/system/local/outputs.conf.

I would like to default defaultGroup to "splunkcloud" rather than "default-autolb-group". Is there a Splunk-specific way to do that?

This document mentions that there are CLI commands for customizing forwarding behavior, but I cannot find any detail beyond that: http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd

I appreciate any help!

jayannah · ‎01-12-2015

The following configuration for any splunk enterprise version (not for universal forwarder)

The below configuration send the data with sourcetype=mysourcetype to the 192.169.1.1 indexer and remaining data to 192.168.1.1 indexer.

Hope this configuration helps you.

props.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[mysourcetype]
TRANSFORMS-tcpfwd = sendtotcpreceiver

transforms.conf
~~~~~~~~~~~~~~~~~~~~~~~
[sendtotcpreceiver]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=tcpreceivergroup

output.conf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[tcpout]
defaultGroup = default-group

[tcpout: default-group]
server = 192.168.1.1:9997

[tcpout:tcpreceivergroup] <-- To Splunk indexer
server=192.169.1.1:7999

Can I configure defaultGroup when remotely deploying a *nix universal forwarder with a static configuration?