Hello,
I currently have some Windows Servers with the Universal Forwarder installed that are sending data to our indexer. I am now in a situation where I need to have the forwarder also send the data to a third party server. According to the documentation, the following in outputs.conf should send all data;
[tcpout]
[tcpout:fastlane]
server = 10.1.1.2:1517
sendCookedData = false
However, I have the third party server getting data but only is receiving "INFO" type logs which appear to be transaction type information from the splunk forwarder program itself and not the actual log data (windows events iis etc.) that I am sending into splunk that I need.
Am I missing something or will the universal forwarder not send that data?
Thanks
We do the following -
In outputs.conf
we specify multiple tcpout
stanzas -
[tcpout:xxxxxx]
....
[tcpout:yyyyyy]
....
If you don't specify anything in inputs.conf
all data will be streamed to both directions (or three if you choose to).
Do you have a props.conf and transforms.conf configured to tell the forwarder what data to send? See: http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Forwarddatatothird-partysystemsd
In props.conf:
[<sourcetype/data to send>]
TRANSFORMS-fastlane = fastlane
In transforms.conf
[fastlane]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=fastlane
It might vary a bit for your configuration but the linked docs walk through it pretty well.
How to check the data in third party server
I saw that in the documentation but it said it was for a heavy forwarder, I am using a Universal Forwarder. I will give it a try and see, it would allow me to separate better than the way I was doing it with the default group. Thansk
Yep, you're right. I believe with a universal forwarder you can forward everything using what you just posted. Using a heavy forwarder you can selectively forward data to the third-party system.
Figured it out. I need to add the group fastlane to the tcpout default group;
[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*
Thanks
Where you have added the below, Is the same in outputs.conf located in local directory? I am really a newbie in splunk, would like to know did you updated below as is.
[tcpout]
defaultGroup = default-autolb-group*, fastlane <--- Added*