Solved: Need help resolving why _TCP_ROUTING is not sendin...

john_glasscock · ‎08-31-2016

I have been trying to figure this out for a few days, and I am not getting anywhere.

I have specific data coming in on one server/directory that has a UF installed on it that I want to send to a specific Indexer/Index. Windows logs go to the index cluster, and the PII data needs to go to a stand alone indexer.

So, here is what I have currently,

**** OUTPUTS.CONF ****

[tcpout]
defaultGroup = ihf_cluster

[tcpout:ihf_cluster]
autoLB=true
server = 10.10.10.1:9997, 10.10.10.2:9997,10.10.10.3:9997,10.10.10.4:9997

[tcpout:Fraud]
server = 10.10.10.100:9997

**** INPUTS.CONF ****

[monitor:/E:\fraudlogs]
disabled = false
sourcetype = PII
index =  PII
_TCP_ROUTING = Fraud

john_glasscock · ‎09-01-2016

Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks

View solution in original post

john_glasscock · ‎09-01-2016

Sorry, it is working correctly. The problem was there was a firewall port 9997 that wasn't opened up by the firewall team, even though it was suppose to be. Thanks

somesoni2 · ‎08-31-2016

The monitoring stanza is missing one slash /. Is it a typo OR actual entry that you've?
Please ensure that you configurations matches the example given in below link and you've restarted Splunk UF after making these changes.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Route_inputs_to_spe...

Need help resolving why _TCP_ROUTING is not sending specified data to specified indexer?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability