The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Splunklightforwarder to index

Previous Topic: Getting splunk in linux to receive snare logs from windows  |   Next Topic: How to Get ActiveDirectory Authentication Method?


Posts 1–10 of 10
1
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

Hi Guys

I have an issue where I can set up a splunklightforwarder to forward data to a reciever and I can see the tcp port and data on the reciever but how can I route the data on the reciever to a specific index?

I have created an index but it has 0 dtat in it.

Do i se tthe index = "indexname" in the inputs.conf on the forwarder or do I have to create a new application on the receiver and put it in the appname/local/input.conf?

Thanks for your help.

2
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

sorry for the typos - what I'm asking is where do I set the index = indexname and how do I map the data on the receiving port to an index?

3
posted by: araitz  |  posts
date: January 18, 2010
permalink

You can set it on the forwarder via inputs.conf.

4
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

OK cheers can you see anything wrong with this?

/opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf

[monitor:usr/local/apache2/logs]
disabled = false
host = redhatdev
_TCP_ROUTING = *
index = devidx

/opt/splunk/etc/apps/SplunkLightForwarder/local/outputs.conf

[tcpout]
defaultGroup = default-clone-group-localhost_7772
disabled = false
maxQueueSize = 1000
[tcpout:default-clone-group-localhost_7772]
server = localhost:7772

[tcpout-server:localhost:7772]

my indexer is listening on tcp:7772 and there is an index called devidx but it has no data in it?

5
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

If I go to the launcher app and select port 7772 I see current data and the search in the search bar says source="tcp:7772" but it's not populating the devidx index.

6
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

if I search using

index="main" source="tcp:7772"

then I get the same data displayed so it looks like all the data is going straight to the main index rather than the one I specify in the inputs.conf on the forwarder

7
posted by: splunkles99  |  posts
date: January 18, 2010
permalink

does the system/local/inputs.conf override /SplunLightForwarder/local/inputs.conf?

8
posted by: gkanapathy  |  posts
date: January 19, 2010
permalink

you have an incorrect listening port configuraiton. You are using

[tcp:1234]

instead of

[splunktcp:1234]

9
posted by: splunkles99  |  posts
date: January 25, 2010
permalink

Not sure if i's a bug or not but I was configuring the tcp port vi a the data inputs link on the mgmt links on the receiver - just did it through the set up Forwarders and Receivers tab instead and it worked straight away.

10
posted by: splunkles99  |  posts
date: January 28, 2010
permalink

Hi

I have forwarding and receiving working fine now until I try to encrypt the forwarding connection with SSL

Following this link http://www.splunk.com/base/Documentation/4.0.8/Admin/UseSSLencryptionbetweenforwardersandreceivers?r=searchtip

I have the following setup

On the SplunkLightForwarder

Working without SSL on the Forwarder /opt/splunk/etc/apps/SplunkLightForwarder/local/inputs.conf

[default]
index = devidx
host = rhdev
_rcvbuf = 1572864

[monitor:var/log/*.log]
disabled = false
blacklist = gz
_TCP_ROUTING = *

Working without SSL on the Forwarder /opt/splunk/etc/apps/SplunkLightForwarder/local/outputs.conf

[tcpout]
defaultGroup = devserver_29997
disabled = false
maxQueueSize = 1000

[tcpout:devserver_29997]
server = devserver:29997

Working without SSL on the Receiver /opt/splunk/etc/apps/search_new_app/local/inputs.conf

[splunktcp:29997]
disabled = false
_blacklist = gz
index = devidx

Then I set up encryption according to the link above and data stops getting to the devidx index.

not working With SSL on the Forwarder /opt/splunk/etc/apps/SplunkLightForwarder/local/outputs.conf

[tcpout]
defaultGroup = devserver_29997
disabled = false
maxQueueSize = 1000

[tcpout:devserver_29997]
server = devserver:29997

[tcpout-server:devserver:29997]
sslCertPath=/opt/splunk/etc/auth/server.pem
sslRootCAPath=/opt/splunk/etc/auth/cacert.pem
sslPassword=password
sslVerifyServerCert=false

not working with SSL on the Receiver /opt/splunk/etc/apps/search_new_app/local/inputs.conf

[splunktcp-ssl:29997]
index = devidx
disabled = false
_blacklist = gz

not working with SSL on the Receiver /opt/splunk/etc/system/local/inputs.conf

[default]
host = devserver
[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=password
rootCA=/opt/splunk/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl://29997]
index = devidx

here is the splunkd.log from the SplunkLightforwarder on start up

1-28-2010 11:52:44.722 INFO TcpOutputProc - Retrieving configuration from properties
01-28-2010 11:52:44.725 INFO TcpOutputProc - Will retry at max backoff sleep forever
01-28-2010 11:52:44.725 INFO TcpOutputProc - Using SSL for server devserver:29997, sslCertPath=/opt/splunk/etc/auth/server.pem
01-28-2010 11:52:44.725 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
01-28-2010 11:52:44.726 INFO TcpOutputProc - initializing single connection with retry strategy for devserver:29997
01-28-2010 11:52:44.732 INFO loader - Instantiated plugin: controlqueueoutputprocessor
01-28-2010 11:52:44.733 INFO loader - Instantiated plugin: deploymentprocessor
01-28-2010 11:52:44.734 INFO TcpOutputProc - attempting to connect to devserver:29997...
01-28-2010 11:52:44.739 WARN DeploymentClient - DeploymentClient is disabled.
01-28-2010 11:52:44.745 WARN ServerClassMgr - No valid configuration found for tenant: default
01-28-2010 11:52:44.745 WARN TenantService - Unable to load server classes for DS: default
01-28-2010 11:52:44.750 WARN ServerClassMgr - No valid configuration found for tenant: default
01-28-2010 11:52:44.750 WARN TenantService - Unable to load server classes for DS: default
01-28-2010 11:52:44.751 INFO loader - Instantiated plugin: tailingprocessor
01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: selectprocessor
01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:44.952 INFO loader - Instantiated plugin: archiveprocessor
01-28-2010 11:52:44.999 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: execprocessor
01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: queueoutputprocessor
01-28-2010 11:52:45.003 INFO loader - Instantiated plugin: fschangemanagerprocessor
01-28-2010 11:52:45.005 INFO loader - Running....
01-28-2010 11:52:45.006 WARN pipeline - Exiting pipeline scheduler gracefully: got eExit from processor LiveSplunks
01-28-2010 11:52:45.009 WARN pipeline - Exiting pipeline distributedDeploymentNG gracefully: got eExit from processor distdeploymentNG
01-28-2010 11:52:45.010 INFO loader - Server supporting SSL v2/v3
01-28-2010 11:52:45.010 INFO loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Is there anything obviously wrong?

Cheers for helping guys.