Solved: Is it possible for a universal forwarded to route ...

erick_thompson · ‎12-16-2011

I have a number of application deployments, and I want each deployment to send logs to a different instance of splunk. Due to the network configuration (the apps are on Azure), I need to use a forwarder. I was looking at the help for the outputs.conf file, and didn't see anything obvious. Is it possible to set up a universal forwarder to listen on multiple ports, and send each port to a different target server?

Thanks!
Erick

dwaddle · ‎12-16-2011

Sure, but you need to configure both inputs.conf and outputs.conf. Something similar to this.

inputs.conf

[monitor:///var/log/httpd]
sourcetype=access_combined
_TCP_ROUTING=indexer1

[tcp://:12345]
_TCP_ROUTING=indexer2

[tcp://:45678]
_TCP_ROUTING=indexer3

outputs.conf

[tcpout:indexer1]
server=indexer1.Splunk.com:9997

[tcpout:indexer2]
server=indexer2.Splunk.com:9997

[tcpout:indexer3]
server=indexer3.Splunk.com:9997

View solution in original post

dwaddle · ‎12-16-2011

Sure, but you need to configure both inputs.conf and outputs.conf. Something similar to this.

inputs.conf

[monitor:///var/log/httpd]
sourcetype=access_combined
_TCP_ROUTING=indexer1

[tcp://:12345]
_TCP_ROUTING=indexer2

[tcp://:45678]
_TCP_ROUTING=indexer3

outputs.conf

[tcpout:indexer1]
server=indexer1.Splunk.com:9997

[tcpout:indexer2]
server=indexer2.Splunk.com:9997

[tcpout:indexer3]
server=indexer3.Splunk.com:9997

erick_thompson · ‎12-16-2011

This is exactly what I am looking for. Thanks! I will try this out first thing on Monday.

Is it possible for a universal forwarded to route on multiple ports?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!