Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to send data to two different Cloud instances?

splunk_luis12
Path Finder
‎07-15-2022 05:46 AM

Hi folks,

 

I have a HF already sending data to one cloud instance, however I'd like to start sending data to a different cloud stack from the same HF.

 

Does anyone can give an example of the configuration in outputs.conf? Should I configured it in local or default?

Should I use different receiving ports for this configuration? If so, which one do you recommend?

I appreciate your help.

Thanks.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 10:55 PM

@splunk_luis12,

if you want to send all data to both the instances, you have to put all the stanzas of both outpts.conf in one common outputs.conf, the only parameter to not use are:

  • defaultGroup
  • default-autolb-group, 

in your case something like this:

[tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
server = yyyyy.splunkcloud.com:9997
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
polling_interval = 5
socksResolveDNS = false
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
compressed = false
sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true

[tcpout]
sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
useACK = true
[tcpout:sxs]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
compressed = true
disabled = 0
server = xxxx..forwarders.sxs.splunk.com:9997
sslAltNameToCheck = *.forwarders.sxs.splunk.com
sslVerifyServerCert = true
useClientSSLCompression = false

[tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
compressed = false
server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
sslCommonNameToCheck = *.xxxx.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true

I'm not sure about all the options, but if you copy both the outputs.conf in one you should have your result.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

hendriks
Path Finder
‎09-04-2023 07:39 AM

Thanks this helped alot, be aware you need to place the sslPassword = into the right stanza.  

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 06:23 AM

Hi @splunk_luis12,

the question is: do you want to send all logs to both instanes on not?

Anyway, you have to create a dedicated outputs.conf, contaning both the addressing.

Could you share (without ipaddresses or names) your outputs.conf for both the connections?

Anyway, here you can find all information.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_s... 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

splunk_luis12
Path Finder
‎07-15-2022 01:00 PM

Hi @gcusello, Yes I want to send all logs to both instances.

 

This is the configuration of the both apps. I already tried to connect both stacks to my HF but once I enable the second one then the first one stops sending data.

 

[splunk@ip-10-202-xx-x apps]$ btool outputs list --debug | grep yyyy*
/opt/splunk/etc/apps/yyyy.splunkcloud/local/outputs.conf   channelReapInterval = 60000
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   channelReapLowater = 10
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   channelTTL = 300000
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   dnsResolutionInterval = 300
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   negotiateNewProtocol = true
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   polling_interval = 5
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf   socksResolveDNS = false
/opt/splunk/etc/apps/yyyyyy.splunkcloud/default/outputs.conf [tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf autoLBFrequency = 120
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
/opt/splunk/etc/apps/yyyy.splunkcloud/default/outputs.conf compressed = false
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf server = yyyyy.splunkcloud.com:9997
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf sslVerifyServerCert = true
/opt/splunk/etc/apps/yyyyyy.splunkcloud/default/outputs.conf useClientSSLCompression = true

 


[splunk@ip-10-202-xx-x apps]$ btool outputs list --debug | grep xxx*
/opt/splunk/etc/apps/xxxxx.splunkcloud/local/outputs.conf    [tcpout]
/opt/splunk/etc/apps/xxx_splunkcloud/default/outputs.conf  defaultGroup = splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb274307fd1
/opt/splunk/etc/apps/xxxxxx.splunkcloud/local/outputs.conf    sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
/opt/splunk/etc/apps/xxx.splunkcloud/default/outputs.conf  useACK = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  [tcpout:sxs]
/opt/splunk/etc/apps/xxx.splunkcloud/default/outputs.conf  autoLBFrequency = 120
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  compressed = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  disabled = 1
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf  server = xxxx..forwarders.sxs.splunk.com:9997
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf  sslAltNameToCheck = *.forwarders.sxs.splunk.com
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  sslVerifyServerCert = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  useClientSSLCompression = false
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf
 [tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf  autoLBFrequency = 120
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf  clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  compressed = false
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  sslCommonNameToCheck = *.xxxx.splunkcloud.com
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf  sslVerifyServerCert = true
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf  useClientSSLCompression = true

 

I appreciate your help.

Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 10:55 PM

@splunk_luis12,

if you want to send all data to both the instances, you have to put all the stanzas of both outpts.conf in one common outputs.conf, the only parameter to not use are:

  • defaultGroup
  • default-autolb-group, 

in your case something like this:

[tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
server = yyyyy.splunkcloud.com:9997
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
polling_interval = 5
socksResolveDNS = false
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
compressed = false
sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true

[tcpout]
sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
useACK = true
[tcpout:sxs]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
compressed = true
disabled = 0
server = xxxx..forwarders.sxs.splunk.com:9997
sslAltNameToCheck = *.forwarders.sxs.splunk.com
sslVerifyServerCert = true
useClientSSLCompression = false

[tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
compressed = false
server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
sslCommonNameToCheck = *.xxxx.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true

I'm not sure about all the options, but if you copy both the outputs.conf in one you should have your result.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-18-2022 08:41 AM

Hi @splunk_luis12,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...