outputs.conf

outputs.conf

outputs.conf controls the destination and configuration for routing and cloning data to other servers over TCP.

outputs.conf.spec

# This file contains possible attributes and values for configuring outputs.conf.
#
# You can configure Splunk's data forwarding actions by creating your own outputs.conf.
# There is NO DEFAULT outputs.conf. To set custom configurations, place an outputs.conf in your own 
# custom bundle directory.  For examples, see outputs.conf.example.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
# NOTE: outputs.conf should live on the forwarding side of any distributed Splunk deployment.
#########################################################################################
#----GLOBAL CONFIGURATION-----
#########################################################################################
# These configurations will be used if they are not overwritten in specific target groups.
# All events that do not have target group metadata will be sent to this group.
# If there is more than one group specified, the events will be cloned to all listed.
[tcpout]
defaultGroup= Group1, Group2, ...
attribute1 = val1
attribute2 = val2
...
	
#########################################################################################
#----TARGET GROUP CONFIGURATION-----
#########################################################################################
# You can have as many target groups as you wish.  
# If more than one is specified, the forwarder will clone every event into each target group.
[tcpout:$TARGET_GROUP]
server=$IP:$PORT, $IP2:$PORT2...
attribute1 = val1
attribute2 = val2
...
#########################################################################################
#----SINGLE SERVER CONFIGURATION-----
#########################################################################################
[tcpout-server://$IP:$PORT]
attribute1 = val1
attribute2 = val2
...
#########################################################################################	
#----OPTIONAL SETTINGS----		
#########################################################################################
# There are a number of optional attributes you can set in outputs.conf.
sendCookedData = <true/false>
	* If true, events are cooked (have been processed by Splunk and are not raw).
	* If false, events are raw and untouched prior to sending.
	* Set to false if you are sending to a third-paty system.
	* Defaults to true.
heartbeatFrequency = <integer>
	* How often (in seconds) to send a heartbeat packet to the receiving server.
	* Heartbeats are only sent if 'sendCookedData' is true.
	* Defaults to 30 seconds.
	
	
#########################################################################################
#----QUEUE SETTINGS----		
#########################################################################################
maxQueueSize = <integer>
	* The maximum number of queued events (queue size) on the forwarding server.
	* Defaults to 1000.
usePersistentQueue = <true/false>
	* If set to true and the queue is full, write events to the disk 
	* Defaults to false.
persistentQueuePath = <directory path>
       * All events in the forwarding queue will be written to a file in this directory
       * Must be manually created before Splunk tries to use it 
maxPersistentQueueSizeInMegs = <integer>
	* The maximum size in megabytes of the disk file where the persistent queue stores its events.
	* Defaults to 1000.
	
dropEventsOnQueueFull = <integer>
    * Wait N * 5 seconds before throwing out all new events until the queue has space.
    * Setting this to -1 or 0 will set the queue to block when it gets full causing blocking up the processor chain.
    * When any target group's queue is blocked, no more data will reach any other target group.
    * Using load balanced groups is the best way to alleviate this condition because multiple 
    receivers must be down (or jammed up) before queue blocking occurs.
    * Defaults to -1 (do not drop events).
indexAndForward = <true/false>
	* In addition to other actions, index all this data locally as well as forwarding it.
	* This is known as an index and forward configuration.
	* Defaults to false.
	
	
#########################################################################################
#----BACKOFF SETTINGS----
#########################################################################################
# Backoff settings are server specific, meaning they must be set in a [tcpout-server://$IP:$PORT] stanza. 
# They cannot be set for a target or default group.
# These are optional, and there are no global overrides for these.
backoffAtStartup = <integer>
	* Set how long (in seconds) to wait until retrying the first time a retry is needed.
	* Defaults to 5.
initialBackoff = <integer>
	* Set how long (in seconds) to wait until retrying every time after the first retry.
	* Defaults to 2.
maxNumberOfRetriesAtHighestBackoff = <integer>
    * Specifies the number of times the system should retry after reaching the highest backoff 
    period before stopping completely.
    * -1 means to try forever.
    * It is suggested that you never change this from the default, or the forwarder will completely 
    stop forwarding to a downed URI at some point.
    * Defaults to -1 (forever).
maxBackoff = <integer>
    * Specifies the number of seconds before reaching the maximum backoff frequency.
    * Defaults to 20.
    
    
#########################################################################################
#----SSL SETTINGS----
#########################################################################################
# To set up SSL on the forwarder, set the following attribute/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver that needs to be certified.
sslCertPath = <path>
	* If specified, this connection will use SSL.  
	* This is the path to the client certificate.
sslRootCAPath = <path>
	* The path to the root certificate authority file (optional).
sslVerifyServerCert = <true/false>
	* If true, make sure that the server you are connecting to is a valid one (authenticated).  
	* Both the common name and the alternate name of the server are then checked for a match.
	* Defaults to false.
sslCommonNameToCheck = <string>
	* Check the common name of the server's certificate against this name.
	* If there is no match, assume that Splunk is not authenticated against this server.  
	* You must specify this setting if 'sslVerifyServerCert' is true.
altCommonNameToCheck = <string>
	* Check the alternate name of the server's certificate against this name.
	* If there is no match, assume that Splunk is not authenticated against this server.  
	* You must specify this setting if 'sslVerifyServerCert' is true.

outputs.conf.example

# This file contains an example outputs.conf.  Use this file to configure forwarding in a distributed
# set up.
#
# To use one or more of these configurations, copy the configuration block into
# outputs.conf in your own custom bundle.
#
# For help creating a bundle directory, or to learn more about bundles (including bundle precedence)
# please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig.
# Specify a target group for an IP:PORT which consists of a single receiver.
# This is the simplest possible configuration; it sends data to the host at 10.1.1.197 on port 9997.
[tcpout:group1]
server=10.1.1.197:9997
# Specify a target group for a hostname which consists of a single receiver.
[tcpout:group2]
server=myhost.Splunk.com:9997
# Specify a target group made up of two receivers.  In this case, the data will be
# balanced (round-robin) between these two receivers.  You can specify as many
# receivers as you wish here. You can combine host name and IP if you wish.
[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666
# You can override any of the global configuration values on a per-target group basis.
# All target groups that do not override a global config will inherit the global config.
# Send every event to a receiver at foo.Splunk.com:9997 and send heartbeats every
# 45 seconds with a maximum queue size of 100,500 events.
[tcpout:group4]
server=foo.Splunk.com:9997
heartbeatFrequency=45
maxQueueSize=100500
# Set the hearbeat frequency to 15 for each group and clone the events to 
# groups indexer1 and indexer2.  Also, index all this data locally as well.
[tcpout]
heartbeatFrequency=15
indexAndForward=true
[tcpout:indexer1]
server=Y.Y.Y.Y:9997
[tcpout:indexer2]
server=X.X.X.X:6666
# Data balance between Y.Y.Y.Y and X.X.X.X.
[tcpout:indexerGroup]
server=Y.Y.Y.Y:9997, X.X.X.X:6666
# Clone events between two data balanced groups.
[tcpout:indexer1]
server=A.A.A.A:1111, B.B.B.B:2222
[tcpout:indexer2]
server=C.C.C.C:3333, D.D.D.D:4444

• Was this topic useful?
• Post a comment