Good morning all-
I'm working on a design in my lab where we have two indexers. I have data for one of the indexes 'networkvideo' that I want to only go to one of the indexers, while all of the other data gets sent to both. I'm having trouble getting my outputs.conf file to work properly. I read that 'forwardedindex' statements will work only in the global 'tcpout' stanza. How can I modify this to apply to only one of the indexers?
I appreciate any and all assistance. Below is a version of my work that I know is incorrect, but has all of the important pieces within:
[tcpout]
defaultGroup = indexer1,indexer2
#overwrite the defaults:
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
#new blacklist:
forwardedindex.0.blacklist=networkvideo
[tcpout:indexer1]
server = xx.xx.xx.1
[tcpout:indexer2]
server = xx.xx.xxx.2
Hi @DBattisto
I am pretty sure you can't use the blacklist to do this. You should instead setup two tcpout groups and then use props.conf and transforms.conf to route your data as described here:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Configure_routing
Hope this helps
Hi @DBattisto
I am pretty sure you can't use the blacklist to do this. You should instead setup two tcpout groups and then use props.conf and transforms.conf to route your data as described here:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Configure_routing
Hope this helps
Thanks Chris, I think I can make it work. I'm going to set up a second indexer on my lab later today and work it out. I think this would work:
$/etc/system/local/props.conf:
#
# directs any 'networkvideo' data to indexer2
[networkvideo]
TRANSFORMS-routing=networkvideorouting
$/etc/system/local/transforms.conf:
#
# How to route the data:
[networkvideorouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = Indexer2
where 'FORMAT' in the transforms.conf stanza links to the 'Indexer2' stanza in my outputs.conf file.