Hello,
I have the following outputs defined on all my universal forwarders:
[tcpout]
defaultGroup = prod-group, valid-group
[tcpout:prod-group]
server = server1:9997
[tcpout:valid-group]
server = server2:9997
[tcpout:dev-group]
server = server3:9997
DefaultGroup may be different on some UF.
Inputs to index "_internal" are send to each output group because the file "$SPLUNKHOME/apps/SplunkUniversalForwarder/default/inputs.conf have the following contents:
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal
I want to send these event only to groups defined as defaultGroup.
I presume I will have to create a new "local/inputs.conf" file with a redefinition of _TCP_ROUTING like
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = ????
But I have no idee of the definition I have to get to _TCP_ROUTING
Thanks
More details on how to managed logs for _internal
.
The _internal index are populated by the following stanzas:
$SPLUNK_HOME/etc/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
[monitor://$SPLUNK_HOME/etc/splunk.version]
$SPLUNK_HOME/apps/SplunkUniversalForwarder/default/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
If we want to forward the logs only to "prod-group" then create the following in
$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = prod-group
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = prod-group
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = prod-group
[monitor://$SPLUNK_HOME/var/log/splunk/metrics.log]
_TCP_ROUTING = prod-group
Hi ktn01,
see http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Route_inputs_to_spe....
at first you don't need to insert _TCP_ROUTING = *
when you want to route your events to all indexers because by default, when there isn't any _TCP_ROUTING option, events are routed to al indexers (with growth of license consumption!).
when you use _TCP_ROUTING there isn't a default group.
So, you have to:
index = _internal
from $SPLUNK_HOME/etc/system/default/inputs.conf in $SPLUNK_HOME/etc/system/local/inputs.conf;_TCP_ROUTING = prod-group
(or valid-group or dev-group);Before to do this, evaluate what you want to do with the other internal Splunk index (_audit).
bye.
Giuseppe
I downvoted this post because it is not respecting the fact, that _TCP_Routing = *
is set by Splunk's default on Universal Forwarders as stated already in the question.
Hello,
I don't want to insert _TCP_ROUTING = "*". Splunk do it by default on app "Splunkforwarder". I don't want to modify the file on "default" directory.
I way is probable to redefine _TCP_ROUTING on "local" directory. It's easy to redirect event to "prod-group" or "valid-group". But how do I have to define _TCP_ROUTING to send events to the output(s) defined as defaultGroup ?
Default is " to all indexers" : if you don't insert _TCP_ROUTING, you send to all indexers, if you insert _TCP_ROUTING, you send to the selected indexer/s.
Bye.
Giuseppe
Hello,
I try
_TCP_ROUTING = $defaultGroup
_TCP_ROUTING = ""
and
_TCP_ROUTING =
but it doesn't work.