I have [tcpout] configured as below and is working fine. However i now have a requirement to syslog one sourcetype to another server. unfortunately when i add the [syslog] stanza and atributes as below and restart service, the syslog starts working but the standard tcpout stops forwarding to my indexers
any idea why? how to trouble shoot? i would like both working
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
disabled = false
[tcpout:default-autolb-group]
autoLB = true
disabled = false
server = indexer1:9997,indexer2:9997
useACK = true
maxQueueSize = 100MB
[syslog]
defaultGroup = teamb
[syslog:teamb]
server = 10.0.0.2:514
type = tcp
syslogSourcetype = sourcetype::proxylogs
do not use defaultGroup for syslog, use directly
`
[syslog]
server = 10.0.0.2:514
type = tcp
syslogSourcetype = sourcetype::proxylogs
`
if you have multiple syslogs, use a different name, like [syslog-teamb]
looks like key error is
05-30-2012 10:44:54.699 -0400 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying....
this is a heavy forwarder.
05-30-2012 10:44:54.699 -0400 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
05-30-2012 10:45:48.358 -0400 INFO TcpOutputProc - Connected to idx=
05-30-2012 10:46:18.394 -0400 INFO TcpOutputProc - Connected to idx=
Are there any mesages in the Splunkd.log? Also, what happens if you change Syslog over to use UDP? What sort of setup do you have? (Is this a heavy forwarder, light-weight or UF?)