Hello Experts,
I have an issue where I am unable to send cooked data to two different Indexer ports.
My flow of traffic is UF > HF > IDX
UF IP: a.a.a.a
HF IP: y.y.y.y
IDX IP: x.x.x.x
1) Universal Forwarder is monitoring more than one input with different sourcetypes.
2) My Indexer is listening on TCP 9997 and TCP 9996 (Same Indexer is listening on both the ports)
3) I want the data with sourcetype ABC to hit TCP 9996 and all other data to hit TCP 9997 on the Indexer.
4) When hitting TCP 9996, the index should change to pqr index but while hitting TCP 9997 the index should remain the same as mentioned in the monitor stanza in UF
My configuration is below:
**UF config**
**inputs.conf**
[monitor:///xyz/urgent]
index= my_index
sourcetype=ABC
disabled=false
[monitor:///var/important]
index= my_index
sourcetype=DEF
disabled=false
**outputs.conf**
[tcpout]
useACK=true
maxQueueSize=auto
readTimeout=300
[tcpout:HF]
server = y.y.y.y:9997
**HF config**
**inputs.conf**
[default]
host = def.sdf.ppp
[splunktcp://9997]
**props.conf**
[ABC]
TRANSFORMS-routing = route_data
**transforms.conf**
[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = urgent
**outputs.conf**
[tcpout]
defaultGroup = important
maxQueueSize = 50MB
useACK = true
[tcpout:important]
server = x.x.x.x:9997
[tcpout:urgent]
server = x.x.x.x:9996
**Indexer config**
**inputs.conf**
[default]
host = abcdef.xyz.ppp
[splunktcp://9997]
[splunktcp://9996]
index = pqr
This is not working for me. The sourcetype ABC is still sending data on TCP 9997 and not changing the index.
Have I missed something? is there anything wrong with the config?
↧