I'm working on doing some data cloning.
As a first step, outputs.conf (on a virgin 6.4.1 universal forwarder on Windows) looks like this, and all is well.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk-c-ix.local:9997
Data goes to splunk-c-ix just fine.
When I add another output group (even without making it the default or referring to it in any _TCP_ROUTING lines), then _internal output starts going to both groups.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunk-c-ix.local:9997
[tcpout:clone-group]
server = splunk-c-hf.local:9997
I dug into it, and found `_TCP_ROUTING = *` inside the `[monitor://...]` stanzas inside $SPLUNK_HOME\apps\SplunkUniversalForwarder\defaults\inputs.conf, which accounts for the behaviour.
I was hoping I could just do a blacklist for the _* indexes on the tcpout:clone-group, but the docs indicate that blacklist/whitelist only happens globally.
Is there an easy way to override this besides hunting down all the `_TCP_ROUTING = *` in the inputs.conf and overriding them in a local\inputs.conf?
↧