Forums: SplunkAdministration: Splunklightforwarder to index

Hi Guys

I have an issue where I can set up a splunklightforwarder to forward data to a reciever and I can see the tcp port and data on the reciever but how can I route the data on the reciever to a specific index?

I have created an index but it has 0 dtat in it.

Do i se tthe index = "indexname" in the inputs.conf on the forwarder or do I have to create a new application on the receiver and put it in the appname/local/input.conf?

Thanks for your help.

sorry for the typos - what I'm asking is where do I set the index = indexname and how do I map the data on the receiving port to an index?

You can set it on the forwarder via inputs.conf.

OK cheers can you see anything wrong with this?

/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf

[monitor:usr/local/apache2/logs]
disabled = false
host = redhatdev
_TCP_ROUTING = *
index = devidx

[tcpout-server:localhost:7772]

my indexer is listening on tcp:7772 and there is an index called devidx but it has no data in it?

If I go to the launcher app and select port 7772 I see current data and the search in the search bar says source="tcp:7772" but it's not populating the devidx index.

if I search using

index="main" source="tcp:7772"

then I get the same data displayed so it looks like all the data is going straight to the main index rather than the one I specify in the inputs.conf on the forwarder

does the system/local/inputs.conf override /SplunLightForwarder/local/inputs.conf?

you have an incorrect listening port configuraiton. You are using

[tcp:1234]

[splunktcp:1234]

Not sure if i's a bug or not but I was configuring the tcp port vi a the data inputs link on the mgmt links on the receiver - just did it through the set up Forwarders and Receivers tab instead and it worked straight away.

Hi

I have forwarding and receiving working fine now until I try to encrypt the forwarding connection with SSL

Following this link http://www.splunk.com/base/Documentation/4.0.8/Admin/UseSSLencryptionbetweenforwardersandreceivers?r=searchtip

I have the following setup

On the SplunkLightForwarder

Working without SSL on the Forwarder /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf

[default]
index = devidx
host = rhdev
_rcvbuf = 1572864

[monitor:var/log/*.log]
disabled = false
blacklist = gz
_TCP_ROUTING = *

[splunktcp:29997]
disabled = false
_blacklist = gz
index = devidx

Then I set up encryption according to the link above and data stops getting to the devidx index.

not working With SSL on the Forwarder /opt/splunk/etc/apps/SplunkLightForwarder/local/outputs.conf

[tcpout]
defaultGroup = devserver_29997
disabled = false
maxQueueSize = 1000

[tcpout:devserver_29997]
server = devserver:29997

[tcpout-server:devserver:29997]
sslCertPath=/opt/splunk/etc/auth/server.pem
sslRootCAPath=/opt/splunk/etc/auth/cacert.pem
sslPassword=password
sslVerifyServerCert=false

[splunktcp-ssl:29997]
index = devidx
disabled = false
_blacklist = gz

not working with SSL on the Receiver /opt/splunk/etc/system/local/inputs.conf

[default]
host = devserver
[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=password
rootCA=/opt/splunk/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl://29997]
index = devidx

here is the splunkd.log from the SplunkLightforwarder on start up

1-28-2010 11:52:44.722 INFO TcpOutputProc - Retrieving configuration from properties
01-28-2010 11:52:44.725 INFO TcpOutputProc - Will retry at max backoff sleep forever
01-28-2010 11:52:44.725 INFO TcpOutputProc - Using SSL for server devserver:29997, sslCertPath=/opt/splunk/etc/auth/server.pem
01-28-2010 11:52:44.725 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
01-28-2010 11:52:44.726 INFO TcpOutputProc - initializing single connection with retry strategy for devserver:29997
01-28-2010 11:52:44.732 INFO loader - Instantiated plugin: controlqueueoutputprocessor
01-28-2010 11:52:44.733 INFO loader - Instantiated plugin: deploymentprocessor
01-28-2010 11:52:44.734 INFO TcpOutputProc - attempting to connect to devserver:29997...
01-28-2010 11:52:44.739 WARN DeploymentClient - DeploymentClient is disabled.
01-28-2010 11:52:44.745 WARN ServerClassMgr - No valid configuration found for tenant: default
01-28-2010 11:52:44.745 WARN TenantService - Unable to load server classes for DS: default
01-28-2010 11:52:44.750 WARN ServerClassMgr - No valid configuration found for tenant: default
01-28-2010 11:52:44.750 WARN TenantService - Unable to load server classes for DS: default
01-28-2010 11:52:44.751 INFO loader - Instantiated plugin: tailingprocessor
01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: selectprocessor
01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:44.952 INFO loader - Instantiated plugin: archiveprocessor
01-28-2010 11:52:44.999 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: execprocessor
01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:45.003 INFO loader - Instantiated plugin: fschangemanagerprocessor
01-28-2010 11:52:45.005 INFO loader - Running....
01-28-2010 11:52:45.006 WARN pipeline - Exiting pipeline scheduler gracefully: got eExit from processor LiveSplunks
01-28-2010 11:52:45.009 WARN pipeline - Exiting pipeline distributedDeploymentNG gracefully: got eExit from processor distdeploymentNG
01-28-2010 11:52:45.010 INFO loader - Server supporting SSL v2/v3
01-28-2010 11:52:45.010 INFO loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Is there anything obviously wrong?

Cheers for helping guys.