How Splunk Works

Overview of Splunk

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Troubleshooting

Configure outputs.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configuration
Default group and global settings
Target groups
Single server
Example

Configure outputs.conf

Configure outputs.conf to send to multiple groups of one or more servers, called target groups. Also, you can set up a default group, made up of one or more target groups, which receives all the data not sent to target groups. If there is more than one group specified in the default group, Splunk clones events to all listed default groups.

Note: While forwarding, events are stored in memory. If any receiver goes down, Splunk buffers the events in memory on the forwarder. Also, by default, time extraction is based on the timestamp in the event, not when Splunk receives the event. If you want to change this default behavior while forwarding, please configure your forwarder to turn off timestamping, in which case Splunk uses the time the forwarder saw the event.

Configuration

Default group and global settings

Add your default group stanza to $SPLUNK_HOME/etc/bundles/local/outputs.conf on the forwarding server.

[tcpout]
defaultGroup= Group1, Group2, ...
attribute1 = val1
attribute2 = val2
...

If you have no default group, set global settings in the [tcpout] stanza.

Note: Settings for your default group are global and inherited by all target groups. Override these settings by creating explicit rules for each target group.

Target groups

Add any number of target group stanzas to $SPLUNK_HOME/etc/bundles/local/outputs.conf on the forwarding server.

[tcpout:$TARGET_GROUP]
server=$IP:$PORT, $IP2:$PORT2...
attribute1 = val1
attribute2 = val2
...

Note: If your target group is made up of more than one $IP:$PORT, the forwarder sends events in a round robin between these URIs.

Optional attributes

There are a number of optional attributes you can set in outputs.conf.

sendCookedData=true/false
- If true, events are cooked (have been processed by Splunk and are not raw)
- If false, events are raw and untouched prior to sending
- Defaults to true
heartbeatFrequency=60
- How often in seconds to send a heartbeat packet to the receiver
- Heartbeats are only sent if sendCookedData=true
- Defaults to 30 seconds

Queue settings

Your data stream enters a queue as it leaves the forwarder. There are a few queue settings you can tweak in outputs.conf.

maxQueueSize=20000
- The maximum number of queued events (queue size)
- Defaults to 1000
usePersistentQueue=false
- If set to true and the queue is full, write events to the disk
- Directory is specified with persistentQueuePath
- Defaults to false
maxPersistentQueueSizeInMegs=1000
- The maximum size in megabytes of the disk file where the persistent queue stores its events
- Defaults to 1000
dropEventsOnQueueFull=10
- Wait N * 5 seconds before throwing out all new events until the queue has space.
- Setting this to -1 or 0 will set the queue to block when it gets full causing blocking up the processor chain.
- When any target group's queue is blocked, no more data will reach any other target group.
- Using load balanced groups is the best way to alleviate this condition because multiple receivers must be down (or jammed up) before queue blocking occurs.
- Defaults to -1 (do not drop events)

Single server

Add any number of single server stanzas to $SPLUNK_HOME/etc/bundles/local/outputs.conf on the forwarding server. Use single server configuration to set up SSL and backoff settings (see below). Servers indicated in single server stanzas must also be a part of a target group in order to send data.

[tcpout-server://$IP:$PORT]
attribute1 = val1
attribute2 = val2
...

Backoff settings

Backoff settings are server specific, meaning they must be set in a [tcpout-server://$IP:$PORT] stanza. They cannot be set for a target or default group.

If one of the target group servers becomes unreachable, you can configure the forwarder to retry the connection. If a connection needs to be retried, the forwarder uses backoffAtStartup or initialBackoff as the number of seconds to wait. After this time expires, the forwarder doubles the number of seconds over and over again until reaching maxBackoff. When this is reached, the forwarder stops doubling the number of seconds in between retries and uses the same maxBackoff seconds. It retries at this frequency maxNumberOfRetriesAtHighestBackoff times or forever if that value is -1.

backoffAtStartup=N
- Defines how many seconds to wait until retrying the first time a retry is needed
- Defaults to 5 seconds
initialBackoff=N
- Defines how many seconds to wait until retrying every time other than the first time a retry is needed
- Defaults to 2 seconds
maxBackoff=N
- Specifies the number of seconds before reaching the maximum backoff frequency.
- Defaults to 20
maxNumberOfRetriesAtHighestBackoff=N
- Specifies the number of times the system should retry after reaching the highest backoff period before stopping completely.
- -1 means to try forever.
- It is suggested that you never change this from the default, or the forwarder will completely stop forwarding to a downed URI at some point.
- Defaults to -1 (forever)

Example

Specify a target group for an IP:PORT which consists of a single receiver. This is the simplest possible configuration; it sends data to the host at 10.1.1.197 on port 9997.

[tcpout:group1]
server=10.1.1.197:9997

Specify a target group for a hostname which consists of a single receiver.

[tcpout:group2]
server=myhost.Splunk.com:9997

Specify a target group made up of two receivers. In this case, the data is balanced (round-robin) between these two receivers. Specify as many receivers as you wish here. Ccombine host name and IP if you wish.

[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666

Send every event to a receiver at foo.Splunk.com:9997 and send heartbeats every 45 seconds with a maximum queue size of 100,500 events.

[tcpout:group4]
server=foo.Splunk.com:9997
heartbeatFrequency=45
maxQueueSize=100500

Set the hearbeat frequency to 15 for each group and clone the events to groups indexer1 and indexer2. Also, index all this data locally as well.

[tcpout]
heartbeatFrequency=15
indexAndForward=true
[tcpout:indexer1]
server=Y.Y.Y.Y:9997
[tcpout:indexer2]
server=X.X.X.X:6666

Data balance between Y.Y.Y.Y and X.X.X.X.

[tcpout:indexerGroup]
server=Y.Y.Y.Y:9997, X.X.X.X:6666

Clone events between two data balanced groups.

[tcpout:indexer1]
server=A.A.A.A:1111, B.B.B.B:2222
[tcpout:indexer2]
server=C.C.C.C:3333, D.D.D.D:4444

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.5/Admin/ConfigureOutputsconf"

« Enable forwarding and receiving Set up routing »

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Configure outputs.conf

Contents

Configure outputs.conf

Configuration

Default group and global settings

Target groups

Optional attributes

Queue settings

Single server

Backoff settings

Example

Comments