Hi there,
We're trying to have a splunk forwarder to send data to an intermediate splunk heavy forwarder that
clones data to different indexer cluster groups based on the sourcetype.
sourcetype1 send data to indexercluster1 (default routing)
sourcetype2 send data to indexercluster1 ***and*** indexercluster2
We have set the following below, but data is only indexed in indexercluster1 for some reason.
Never sent to indexercluster2 for sourcetype2 as wanted.
Any idea why ?
Thanks a lot for any help
props.conf
[sourcetype2]
TRANSFORMS-routing=TR_routing_sourcetype2
transforms.conf
[TR_routing_sourcetype2]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=indexercluster1,indexercluster2
outputs.conf
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.filter.disable = false
defaultGroup = indexercluster1
indexAndForward = false
[tcpout:indexercluster1]
disabled = false
maxQueueSize = 6MB
server = 10.0.1.1:9997,10.0.1.2:9997,10.0.1.3:9997
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = somepassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK = true
[tcpout:indexercluster2]
disabled = false
maxQueueSize = 6MB
server = 10.0.2.1:9997,10.0.2.2:9997,10.0.2.3:9997
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = somepassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK = true
inputs.conf
[default]
#_TCP_ROUTING = *
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
password = somepassword
[splunktcp-ssl:9997]
↧