This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Enable routing to forward data from one Splunk server to another based on content. For example, data may be routed to systems based on sourcetype, a custom indexed field, or the content of the raw event. Routing allows you to specifically distribute events to any system.
To set up routing:
Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing= attribute:
[<spec>] TRANSFORMS-routing=$UNIQUE_STANZA_NAME
<spec> can be:
<sourcetype>, the sourcetype of an event
host::<host>, where <host> is the host for an event
source::<source>, where <source> is the source for an event
Use the $UNIQUE_STANZA_NAME when creating your entry in transforms.conf (below).
Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza:
[$UNIQUE_STANZA_NAME] REGEX=$YOUR_REGEX DEST_KEY=_TCP_ROUTING FORMAT=$UNIQUE_GROUP_NAME
$UNIQUE_STANZA_NAME must match the name you created in props.conf.
$YOUR_REGEX to determine which events get conditionally routed.
DEST_KEY should be set to _TCP_ROUTING to send events via TCP
FORMAT to $UNIQUE_GROUP_NAME. This should match the group name you create in outputs.conf
Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which tcpout outputs go to which servers or groups:
[tcpout:$UNIQUE_GROUP_NAME] server=$IP:$PORT
$UNIQUE_GROUP_NAME to match the name you created in transforms.conf.
The following example sends all events with sourcetype="syslog" to one target group, all events that contain the word error to another target group, and everything else to a third target group.
1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing= attribute:
[default] TRANSFORMS-routing=errorRouting [syslog] TRANSFORMS-routing=syslogRouting
2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting and syslogRouting rules:
[errorRouting] REGEX=error DEST_KEY=_TCP_ROUTING FORMAT=errorGroup [syslogRouting] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=syslogGroup
3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which tcpout outputs go to with servers or groups:
[tcpout] defaultGroup=everythingElseGroup [tcpout:syslogGroup] server=10.1.1.197:9997 [tcpout:errorGroup] server=10.1.1.200:9999 [tcpout:everythingElseGroup] server=10.1.1.250:6666
This examples combines routing, data balancing and target group specific parameters. This outputs.conf sends all events with sourcetype="syslog" to one balanced target group, all events that contain the word error to a different target group, and clones everything else to two target groups. The syslogGroup uses a persistent queue which lives in the /tmp directory and is capped at a maximum on disk size of 100MB. The heartbeat frequency for all target groups is dialed down to 10 seconds.
Note: Steps 1 and 2, props.conf and transforms.conf, are the same as the example above.
3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which tcpout outputs go to with servers or groups:
[tcpout] defaultGroup=everythingElseGroup1, everthingElseGroup2 heartbeatFrequency=10 [tcpout:syslogGroup] server=10.1.1.197:9997, 10.1.1.198:7777 usePersistentQueue=true blockOnQueueFull=true [tcpout:errorGroup] server=10.1.1.200:9999 [tcpout:everythingElseGroup1] server=10.1.1.240:6666 [tcpout:everythingElseGroup2] server=10.1.1.245:5555