Getting Data In

Has anyone successfully configured _HTTPOUT_ROUTING in outputs.conf?

schose
Builder

hi all,

i read about the _HTTPOUT_ROUTING in outputs.conf at https://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad . Unfortunately, I didn't find anything in the specfiles or any further examples...

Has anyone configured this? Or can anyone give any advice?

Best regards,

Andreas

sloshburch
Splunk Employee
Splunk Employee

_HTTPOUT_ROUTING is not valid and has since been removed from the documentation. Thanks for calling it out!

0 Karma

marycordova
SplunkTrust
SplunkTrust
  1. what is your use case for using HTTP vs just letting Splunk do its thing? it might to give an answer if we understand the problem and the architecture
  2. do you have an config files you've tried but aren't work? can you post them?
  3. "You can configure routing only on a heavy forwarder" basically, this is a full Splunk Enterprise installation, you just dont use all the features (usually the web interface for search) and forward data to another installation/indexer. there's a lot of features i've found out aren't supported on the universal forwarders by banging my head against a wall until going back to the docs for the 400th time and then finding that one line that says...nope, not on a universal forwarder
  4. " transforms_stanza_name must be unique" this is also a head-banger...unique means not to that config file but to your entire deployment
  5. outputs.conf gets configured as normal
@marycordova
0 Karma

jkat54
SplunkTrust
SplunkTrust

Do you mean _TCP_ROUTING? There isn’t an _HTTP_ROUTING that I can find in outputs.conf or inputs.conf documentation, and I can’t find it at the link you gave.

If so, _TCP_ROUTING tells your inputs which stanza in outputs.conf to use. You can specify it per input or at a global level. See inputs.conf documentation for more details.

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>, ...
* Comma-separated list of tcpout group names.
* Using this, you can selectively forward the data to specific indexer(s).
* Specify the tcpout group the forwarder should use when forwarding the data.
  The tcpout group names are defined in outputs.conf with
  [tcpout:<tcpout_group_name>].
* Defaults to groups specified in "defaultGroup" in [tcpout] stanza in
  outputs.conf.
* To forward data to all tcpout group names that have been defined in
  outputs.conf, set to '*' (asterisk).
* To forward data from the "_internal" index, _TCP_ROUTING must explicitly be
  set to either "*" or a specific splunktcp target group.
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hey @schose,

Did you get a chance to consider @jkat54 's question? If so, please respond, as it will enable users to better solve your problem.

Thanks for posting!

0 Karma

schose
Builder

Hi,

i really meant _HTTPOUT_ROUTING .. it would be awsome to have such a functionality as it could give you much more flexibility as _TCPOUT and _SYSLOG_ROUTING.

I would love to see this and hope is not a documentation failure.

0 Karma

coccyx
Path Finder

As far as I'm aware, this does not exist. If you're looking to route data from the ingestion pipeline to third party systems, this is a use case we support in Cribl (https://www.cribl.io).

0 Karma

schose
Builder

exactly, i want to router data to 3rd party systems.. cribl.io looks really interessting to me. I guess we should talk at .conf2018!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @jkat54,

_HTTPOUT_ROUTING mentioned in documentation, DEST_KEY should be set to _TCP_ROUTING to send events via TCP. It can also be set to _SYSLOG_ROUTING or _HTTPOUT_ROUTING for other output processors. but I am not able to find anything in outputs.conf and transforms.conf.

Looks like documentation error.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I see that but I don’t know he answer. Converting to comment.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...