Hi folks,
I have a HF already sending data to one cloud instance, however I'd like to start sending data to a different cloud stack from the same HF.
Does anyone can give an example of the configuration in outputs.conf? Should I configured it in local or default?
Should I use different receiving ports for this configuration? If so, which one do you recommend?
I appreciate your help.
Thanks.
if you want to send all data to both the instances, you have to put all the stanzas of both outpts.conf in one common outputs.conf, the only parameter to not use are:
in your case something like this:
[tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
server = yyyyy.splunkcloud.com:9997
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
polling_interval = 5
socksResolveDNS = false
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
compressed = false
sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true
[tcpout]
sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
useACK = true
[tcpout:sxs]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
compressed = true
disabled = 0
server = xxxx..forwarders.sxs.splunk.com:9997
sslAltNameToCheck = *.forwarders.sxs.splunk.com
sslVerifyServerCert = true
useClientSSLCompression = false
[tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
compressed = false
server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
sslCommonNameToCheck = *.xxxx.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true
I'm not sure about all the options, but if you copy both the outputs.conf in one you should have your result.
Ciao.
Giuseppe
Thanks this helped alot, be aware you need to place the sslPassword = into the right stanza.
Hi @splunk_luis12,
the question is: do you want to send all logs to both instanes on not?
Anyway, you have to create a dedicated outputs.conf, contaning both the addressing.
Could you share (without ipaddresses or names) your outputs.conf for both the connections?
Anyway, here you can find all information.
Ciao.
Giuseppe
Hi @gcusello, Yes I want to send all logs to both instances.
This is the configuration of the both apps. I already tried to connect both stacks to my HF but once I enable the second one then the first one stops sending data.
[splunk@ip-10-202-xx-x apps]$ btool outputs list --debug | grep yyyy*
/opt/splunk/etc/apps/yyyy.splunkcloud/local/outputs.conf channelReapInterval = 60000
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf channelReapLowater = 10
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf channelTTL = 300000
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf dnsResolutionInterval = 300
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf negotiateNewProtocol = true
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf polling_interval = 5
/opt/splunk/etc/apps/yyyyy.splunkcloud/local/outputs.conf socksResolveDNS = false
/opt/splunk/etc/apps/yyyyyy.splunkcloud/default/outputs.conf [tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf autoLBFrequency = 120
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
/opt/splunk/etc/apps/yyyy.splunkcloud/default/outputs.conf compressed = false
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf server = yyyyy.splunkcloud.com:9997
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
/opt/splunk/etc/apps/yyyyy.splunkcloud/default/outputs.conf sslVerifyServerCert = true
/opt/splunk/etc/apps/yyyyyy.splunkcloud/default/outputs.conf useClientSSLCompression = true
[splunk@ip-10-202-xx-x apps]$ btool outputs list --debug | grep xxx*
/opt/splunk/etc/apps/xxxxx.splunkcloud/local/outputs.conf [tcpout]
/opt/splunk/etc/apps/xxx_splunkcloud/default/outputs.conf defaultGroup = splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb274307fd1
/opt/splunk/etc/apps/xxxxxx.splunkcloud/local/outputs.conf sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
/opt/splunk/etc/apps/xxx.splunkcloud/default/outputs.conf useACK = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf [tcpout:sxs]
/opt/splunk/etc/apps/xxx.splunkcloud/default/outputs.conf autoLBFrequency = 120
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf compressed = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf disabled = 1
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf server = xxxx..forwarders.sxs.splunk.com:9997
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf sslAltNameToCheck = *.forwarders.sxs.splunk.com
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf sslVerifyServerCert = true
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf useClientSSLCompression = false
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf
[tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf autoLBFrequency = 120
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf compressed = false
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf sslCommonNameToCheck = *.xxxx.splunkcloud.com
/opt/splunk/etc/apps/xxxx.splunkcloud/default/outputs.conf sslVerifyServerCert = true
/opt/splunk/etc/apps/xxxxx.splunkcloud/default/outputs.conf useClientSSLCompression = true
I appreciate your help.
Thanks.
if you want to send all data to both the instances, you have to put all the stanzas of both outpts.conf in one common outputs.conf, the only parameter to not use are:
in your case something like this:
[tcpout:splunkcloud_20220701_9aaa4b04216cd9a0a4dc1eb274307fd1]
server = yyyyy.splunkcloud.com:9997
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
polling_interval = 5
socksResolveDNS = false
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/yyyy.splunkcloud/default/yyyy._server.pem
compressed = false
sslCommonNameToCheck = *.yyyyyy.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true
[tcpout]
sslPassword = $7$ycs8Ky2NJ7C6ac5cli3WDMYUhJ8c0AGzYcvs98ClgTbMKHAyLn3b/tiFEna/KXUXy9Cwx7CKZWp3Io0gypPEzmsHK2Wc9U7fhm0qjwx
useACK = true
[tcpout:sxs]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxx.splunkcloud/default/xxxx.server.pem
compressed = true
disabled = 0
server = xxxx..forwarders.sxs.splunk.com:9997
sslAltNameToCheck = *.forwarders.sxs.splunk.com
sslVerifyServerCert = true
useClientSSLCompression = false
[tcpout:splunkcloud_20220420_9aaa4b04216cd9a0a4dc1eb27430]
autoLBFrequency = 120
clientCert = $SPLUNK_HOME/etc/apps/xxxxx.splunkcloud/default/xxxx.server.pem
compressed = false
server = inputs1.xxxx..splunkcloud.com:9997, inputs2.xxxxx..splunkcloud.com:9997, etc..
sslCommonNameToCheck = *.xxxx.splunkcloud.com
sslVerifyServerCert = true
useClientSSLCompression = true
I'm not sure about all the options, but if you copy both the outputs.conf in one you should have your result.
Ciao.
Giuseppe
Hi @splunk_luis12,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉