Getting Data In

How to configure HTTP Event Collector (HEC) with _TCP_ROUTING to forward data to a specified outputs group, not default?

kyaparla
Path Finder

I am trying to forward http input to specific to outputs group with _TCP_ROUTING, but events get forwarded to default outputs group.

inputs.conf

[http://abcd]
disabled = 0
_TCP_ROUTING = abc_indexers
index = main
token = XXXXX

outputs.conf

[tcpout:abc_indexers]
server= indexer1:9997

[tcpout:xyz_indexers]
server = indexer2:9997

[tcpout]
default = xyz_indexers

With above configuration, HTTP Event Collector (HEC) forwards data to default group xyz_indexers. This same setup works fine for monitor or script or rest input.

Glenn
Builder

According to docs (http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf) the http type stanza uses a setting called "outputgroup" for this, and _TCP_ROUTING is not mentioned for that stanza type.

outputgroup = <string>
* The name of the forwarding output group to send data to.
* Defaults to empty string.

Disclaimer: I haven't personally tried this. I'm actually now interested to see how the functionality compares... since _TCP_ROUTING states that it supports a comma separated list of output groups so that that you can send to multiple places, and "outputgroup" does not mention that, I wonder if the functionality is less than for other stanza types.

Jason_S
Path Finder

I've used 'outputgroup' to send data to specific output groups. In the following example, token-A sends data to abc_indexers, token-B sends data to xyz_indexers, and token-C clones data to both abc_indexers and xyz_indexers.

[http://token-A]
outputgroup = abc_indexers

[http://token-B]
outputgroup = xyz_indexers

[http://token-C]
outputgroup = abc_indexers,xyz_indexers

scannon4
SplunkTrust
SplunkTrust

Jason, so you can use multiple groups in the outputgroup stanza? Please let me know as I need to try this. Thanks!

0 Karma

Jason_S
Path Finder

Yup, for the HEC forwarders I manage, I'm able to have a token send to multiple groups using a configuration similar to the one I posted on June 27, 2017.

0 Karma

scannon4
SplunkTrust
SplunkTrust

Thanks. I added two entries to outputgroup and it is only sending to one of them. In the HTTP Event Collector GUI, when you edit an entry, do you see anything but None in the Output Group drop down? Since I am only seeing None I wonder if it is just defaulting to my defaultGroup set in outputs.conf.

0 Karma

Jason_S
Path Finder

I'm unable to check the UI since we disable the UI and manage HEC configuration directly via the .conf files. Here's a stripped down version of our inputs.conf and outputs.conf. This configuration sends to both sets of indexers and overrides defaultGroup, which is set to a third set of indexers.

# inputs.conf
[http://foo]
outputgroup = abc_indexers,xyz_indexers

# outputs.conf
[tcpout]
defaultGroup = default_indexers

[tcpout:abc_indexers]
server = abc

[tcpout: xyz_indexers]
server = xyz
0 Karma

scannon4
SplunkTrust
SplunkTrust

OK well I have it all configured properly. I will just have to keep trying. Thanks for the info!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...