I have been trying to figure this out for a few days, and I am not getting anywhere.
I have specific data coming in on one server/directory that has a UF installed on it that I want to send to a specific Indexer/Index. Windows logs go to the index cluster, and the PII data needs to go to a stand alone indexer.
So, here is what I have currently,
**** OUTPUTS.CONF ****
[tcpout]
defaultGroup = ihf_cluster
[tcpout:ihf_cluster]
autoLB=true
server = 10.10.10.1:9997, 10.10.10.2:9997,10.10.10.3:9997,10.10.10.4:9997
[tcpout:Fraud]
server = 10.10.10.100:9997
**** INPUTS.CONF ****
[monitor:/E:\fraudlogs]
disabled = false
sourcetype = PII
index = PII
_TCP_ROUTING = Fraud
Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks
Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks
The monitoring stanza is missing one slash /
. Is it a typo OR actual entry that you've?
Please ensure that you configurations matches the example given in below link and you've restarted Splunk UF after making these changes.