outputs.conf

outputs.conf

Outputs.conf controls the destination and configuration for routing and cloning data to other servers over TCP.

To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/outputs.conf.

You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/outputs.conf.example.

Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.

outputs.conf.spec

# Copyright (C) 2005-2007 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
[qid]
PREAMBLE = The following is a mail transaction generated by Splunk.
#EXAMPLES ARE EXPLAINED BELOW THE DESCRIPTION HERE
#----GLOBAL CONFIGURATION-----
#These configuration will be used
#if they are not overridden in specific target groups
[tcpout]
#All events that do not have target group metadata will be
#sent to this group.  If there is more than one group specified
#the events will be cloned to all listed
#(defaults to send to every specified target group in the configuration)
defaultGroup=<groupname1>,<groupname2> . . .
#If true, events are cooked (have been processed by Splunk and are not raw)
#If false, events are raw and untouched prior to sending
#(defaults to true)
sendCookedData=true
#How often in seconds to send a heartbeat packet to the receiver
#Heartbeats are only sent if 'sendCookedData' is true
#(defaults to 30 seconds)
heartbeatFrequency=60
#The maximum number of queued events (queue size)
#(defaults to 1000)
maxQueueSize=20000
#If set to true and the queue is full,
#write events to the disk (directory is specified with 'persistentQueuePath').
#(defaults to false)
usePersistentQueue=false
#The maximum size in megabytes of the disk file where the persistent queue stores its events
#(defaults to 1000)
maxPersistentQueueSizeInMegs=1000
#Wait N * 5 seconds before throwing out all new events until the queue has space.
#Setting this to -1 or 0 will set the queue to block when it gets full causing blocking up the processor chain.
#When any target group's queue is blocked, no more data will reach any other target group.
#Using load balanced groups are the best way to alleviate this condition
#because multiple receivers must be down (or jammed up) before queue blocking occurs.
#(defaults to -1 - do not drop events)
dropEventsOnQueueFull=10
#----TARGET GROUP CONFIGURATION----
#You can have as many target groups as you wish.  IF more than one is specified,
#it will clone each event into each target group
#Specify a target group for an IP:PORT which consists of a single receiver
[tcpout:group1]
server=10.1.1.197:9997
#Specify a target group for a hostname which consists of a single receiver
[tcpout:group2]
server=myhost.Splunk.com:9997
#Specify a target group made up of 2 receivers.  In this case, the data will be
#Load balanced (round-robin) between these 2 receivers.  You can specify as many
#receivers as you wish here. You can combine host name and IP if you wish.
[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666
#You can override any of the global configuration values on a per-target group basis
#All target groups that do not override a global config will inherit the global config
[tcpout:group4]
server=foo.Splunk.com:9997
heartbeatFrequency=45
maxQueueSize=100500
#----SERVER SPECIFIC CONFIGURATION----
#These are optional, and there are no global overrides for these
[tcpout-server://10.1.1.197:9997]
#Defines how many seconds to wait until retrying the first time a retry is needed
#(defaults to 5 seconds)
backoffAtStartup=N
#Defines how many seconds to wait until retrying every time other than the first time a
#retry is needed
#(defaults to 2 seconds)
initialBackoff=N
#Specifies the number of times the system should retry after reaching the highest backoff
#period before stopping completely.  A -1, means to try forever.
#It is suggested that you never change this from the default, or the fowarder will completely 
#stop forwarding to a downed URI at some point.
#(defaults to -1 - forever)
maxNumberOfRetriesAtHighestBackoff=N
#Specifies the number of seconds before reaching the maximum backoff frequency.
#A further explanation lies in the exponential back off algorithm that is being used:
#      If a connection needs to be retried, the first time through it either
#      uses 'backoffAtStartup' or 'initialBackoff' as the number of seconds to wait.
#      After this time expires, it doubles the number of seconds over and over again until 
#      reaching 'maxBackoff'.   When this is reached, it stops doubling the number of 
#      seconds in between retries and uses the same 'maxBackoff' seconds.  It retries at 
#      this frequency 'maxNumberOfRetriesAtHighestBackoff' times or forever if that value is -1.
#(defaults to 20)
maxBackoff=N
#If specified, this connection will use SSL.  This is the path to the client
#certificate.
sslCertPath=/home/myhome/certs/foo.pem
#The path to the root certificate authority file (optional)
sslRootCAPath=/home/myhome/certs/root.pem
#If true, make sure that the server you are connecting
#is a valid one (authenticated).  Both the common name and the alternate name of the server
#are then checked for a match.
#(defaults to false)
sslVerifyServerCert=true
#Check the common name of the server's certificate against this name.
#If there is no match, assume that we aren't authenticated against this server.  You must
#specify this key/value pair if 'sslVerifyServerCert' is true.
sslCommonNameToCheck=mycommonname
#Check the alternate name of the server's certificate against this name.
#If there is no match, assume that we aren't authenticated against this server.  You must
#specify this key/value pair if 'sslVerifyServerCert' is true.
altCommonNameToCheck=myalternatename

• Was this topic useful?
• Post a comment