Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

universal forwarder with more than one outputs.conf

mamaral
Path Finder
‎04-13-2011 06:21 PM

I need to figure mine collection of universal forwarders to sent information to distinct tcp ports...

Basicaly:

*NIX sending to indexer on port 7700

Input A sending to indexer on port 7701

Input B sending to indexer on port 7702

and etc..

Could someone please help me?

Thanks

Amaral

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-14-2011 04:45 AM

There's rarely a point in doing this. You can just send them all to the same port. The Splunk forwarding protocol includes identification of the source host (and the source file, the destination index, and other things) so there's usually not any need or advantage to using more than one port.

But if you really did need this for some reason (e.g., you're running multiple instances of Splunk on the host on different ports, or simply different hosts), you'd simply add a _TCP_ROUTING key to the inputs clause:

_TCP_ROUTING = destA

where destA is just the name of the output group in outputs.conf, e.g. destA in [tcpout:destA]

Reply

Rob
Splunk Employee
Splunk Employee
‎04-13-2011 07:20 PM

I am not quite sure what you are looking to do. But if you are looking to configure a Universal Forwarder to forward all data to 3 different indexers for specific ports then you will want to create a stanza for each indexer in your outputs.conf file like this:

[tcpout]
defaultGroup=*

[tcpout:Nix]
server = xxx.xxx.xxx.xxx:7700

[tcpout:inputA]
server = xxx.xxx.xxx.xxx:7701

[tcpout:inputB]
server = xxx.xxx.xxx.xxx:7702

If you want some additional information from the Splunk documentation, here is a link for cloning data across indexes and here is a link for forwarding data to indexes.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...