Set up routing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Set up routing
With routing, a Splunk server forwards data to receiving Splunk servers based on data content. For example, data may be routed to systems based on sourcetype, a search field you created, or the content of the raw event. Routing allows you to distribute events to the systems accessed and managed by people who monitor those events specifically.
First, decide which events will be routed to which servers. Then edit the props.conf, transforms.conf and outputs.conf files on the forwarding servers.
Configuration
props.conf
Edit $SPLUNK_HOME/etc/bundles/local/props.conf and set a TRANSFORMS-routing= attribute:
[<spec>] TRANSFORMS-routing=$UNIQUE_STANZA_NAME
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
$UNIQUE_STANZA_NAME should match the name of your stanza in transforms.conf.
transforms.conf
Edit $SPLUNK_HOME/etc/bundles/local/transforms.conf and set rules to match your props.conf stanza:
[$UNIQUE_STANZA_NAME] REGEX=$YOUR_REGEX DEST_KEY=_TCP_ROUTING FORMAT=$UNIQUE_GROUP_NAME
-
$UNIQUE_STANZA_NAMEmust match the name you created intransforms.conf. - Enter the regex rules in
$YOUR_REGEXto determine which events get conditionally routed. -
DEST_KEYshould be set to_TCP_ROUTINGto send events via TCP - Set
FORMATto$UNIQUE_GROUP_NAME. This should match the group name you create inoutputs.conf
outputs.conf
Edit $SPLUNK_HOME/etc/bundles/local/outputs.conf and set which tcpout outputs go to which servers or groups:
[tcpout:$UNIQUE_GROUP_NAME] server=$IP:$PORT
- Set
$UNIQUE_GROUP_NAMEto match the name you created inprops.conf. - Set the IP address and port to match the receiving server.
Examples
Basic example
In the following example, we will send all events with sourcetype::syslog to one target group, all events that contain the word error to another target group, and everything else to a third target group.
props.conf
Edit $SPLUNK_HOME/etc/bundles/local/props.conf and set a TRANSFORMS-routing= attribute:
[default] TRANSFORMS-routing=errorRouting [syslog] TRANSFORMS-routing=syslogRouting
transforms.conf
Edit $SPLUNK_HOME/etc/bundles/local/transforms.conf and set errorRouting and syslogRouting rules:
[errorRouting] REGEX=error DEST_KEY=_TCP_ROUTING FORMAT=errorGroup [syslogRouting] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=syslogGroup
outputs.conf
Edit $SPLUNK_HOME/etc/bundles/local/outputs.conf and set which tcpout outputs go to with servers or groups:
[tcpout] defaultGroup=everythingElseGroup [tcpout:syslogGroup] server=10.1.1.197:9997 [tcpout:errorGroup] server=10.1.1.200:9999 [tcpout:everythingElseGroup] server=10.1.1.250:6666
Complex example
This examples combines routing, data balancing and target group specific parameters. This outputs.conf sends all events with sourcetype::syslog to one balanced target group, all events that contain the word error to a different target group, and clones everything else to two target groups. The syslogGroup uses a persistent queue which lives in the /tmp directory and will be capped at a maximum on disk size of 100MB. The heartbeat frequency for all target groups is dialed down to 10 seconds.
Please note: the props.conf and transforms.conf are the same as the example above.
outputs.conf
[tcpout] defaultGroup=everythingElseGroup1, everthingElseGroup2 heartbeatFrequency=10 [tcpout:syslogGroup] server=10.1.1.197:9997, 10.1.1.198:7777 usePersistentQueue=true blockOnQueueFull=true persistentQueuePath=/tmp maxPersistentQueueSizeInMegs=100 [tcpout:errorGroup] server=10.1.1.200:9999 [tcpout:everythingElseGroup1] server=10.1.1.240:6666 [tcpout:everythingElseGroup2] server=10.1.1.245:5555
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.