outputs.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
outputs.conf
outputs.conf controls the destination and configuration for routing and cloning data to other servers over TCP.
outputs.conf.spec
# Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 3.0
#
# This file contains possible attributes and values for configuring outputs.conf. Configure
# Splunk's data forwarding actions by creating your own outputs.conf.
#
# There is NO DEFAULT outputs.conf. To set custom configurations, place an outputs.conf
# $SPLUNK_HOME/etc/system/local/. For examples, see outputs.conf.example.
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#
# NOTE: Place outputs.conf on the forwarding side of any distributed Splunk deployment.
# To learn more about distributed configurations, see the documentation at
# http://www.splunk.com/doc/latest/admin/ForwardingReceiving.
#########################################################################################
#----GLOBAL CONFIGURATION-----
#########################################################################################
# These configurations will be used if they are not overwritten in specific target groups.
# All events that do not have target group metadata will be sent to this group.
# If there is more than one group specified, the events will be cloned to all listed.
[tcpout]
defaultGroup= Group1, Group2, ...
attribute1 = val1
attribute2 = val2
...
#NOTE: This is not for typical use:
#This configuration item looks in the event for <key>. If the event contains this
#this key, the value is prepended to the raw data that is sent out to the destination
#server. Note that this ONLY works if 'sendCookedData = false'. The key/value pair
#and how it is derived is set in props.conf and transforms.conf.
#Use case: appending <priority> to a syslog event which has been obtained by monitoring
#a syslog file and sending it out to a syslog server.
prependKeyToRaw = key
#########################################################################################
#----TARGET GROUP CONFIGURATION-----
#########################################################################################
# You can have as many target groups as you wish.
# If more than one is specified, the forwarder will clone every event into each target group.
[tcpout:$TARGET_GROUP]
server=$IP:$PORT, $IP2:$PORT2...
attribute1 = val1
attribute2 = val2
...
#########################################################################################
#----SINGLE SERVER CONFIGURATION-----
#########################################################################################
# NOTE: Single server configuration is necessary for implementing SSL and back-off settings
# (listed below). However, you must list any single server as a part of a target group or
# default group to send data.
[tcpout-server://$IP:$PORT]
attribute1 = val1
attribute2 = val2
...
#########################################################################################
#----OPTIONAL SETTINGS----
#########################################################################################
# There are a number of optional attributes you can set in outputs.conf.
sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.
heartbeatFrequency = <integer>
* How often (in seconds) to send a heartbeat packet to the receiving server.
* Heartbeats are only sent if 'sendCookedData' is true.
* Defaults to 30 seconds.
blockOnCloning = true | false
* If true, TcpOutputProcessor blocks till at least one of the cloned group gets events. This will
not drop events when all the cloned groups are down.
* If false, TcpOutputProcessor will drop events when all the cloned groups are down and Queues for
the each cloned groups are full. When at least one of the cloned groups are up and Queues are not full,
the event is not dropped.
* Defaults to true.
#########################################################################################
#----QUEUE SETTINGS----
#########################################################################################
maxQueueSize = <integer>
* The maximum number of queued events (queue size) on the forwarding server.
* Defaults to 1000.
dropEventsOnQueueFull = <integer>
* If set to a positive number N, wait N * 5 seconds before throwing out all new events until the queue has space.
* Setting this to -1 or 0 will set the queue to block when it gets full causing blocking up the processor chain.
* When any target group's queue is blocked, no more data will reach any other target group.
* Using load balanced groups is the best way to alleviate this condition because multiple
receivers must be down (or jammed up) before queue blocking occurs.
* Defaults to -1 (do not drop events).
* DO NOT SET THIS VALUE TO A POSITIVE INTEGER (true) IF YOU ARE MONITORING FILES!
indexAndForward = true | false
* In addition to other actions, index all this data locally as well as forwarding it.
* This is known as an index and forward configuration.
* Defaults to false.
#########################################################################################
#----BACKOFF SETTINGS----
#########################################################################################
# Backoff settings are server specific, meaning they must be set in a [tcpout-server://$IP:$PORT] stanza.
# They cannot be set for a target or default group.
# These are optional, and there are no global overrides for these.
backoffAtStartup = <integer>
* Set how long (in seconds) to wait until retrying the first time a retry is needed.
* Defaults to 5.
initialBackoff = <integer>
* Set how long (in seconds) to wait until retrying every time after the first retry.
* Defaults to 2.
maxNumberOfRetriesAtHighestBackoff = <integer>
* Specifies the number of times the system should retry after reaching the highest back-off period before stopping completely.
* -1 means to try forever.
* It is suggested that you never change this from the default, or the forwarder will completely stop forwarding to a downed URI at some point.
* Defaults to -1 (forever).
maxBackoff = <integer>
* Specifies the number of seconds before reaching the maximum backoff frequency.
* Defaults to 20.
#########################################################################################
#----SSL SETTINGS----
#########################################################################################
# To set up SSL on the forwarder, set the following attribute/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver that needs to be certified.
sslPassword = <password>
* The password associated with the CAcert.
* The default splunk CAcert uses the password "password".
sslCertPath = <path>
* If specified, this connection will use SSL.
* This is the path to the client certificate.
sslRootCAPath = <path>
* The path to the root certificate authority file (optional).
sslVerifyServerCert = true | false
* If true, make sure that the server you are connecting to is a valid one (authenticated).
* Both the common name and the alternate name of the server are then checked for a match.
* Defaults to false.
sslCommonNameToCheck = <string>
* Check the common name of the server's certificate against this name.
* If there is no match, assume that Splunk is not authenticated against this server.
* You must specify this setting if 'sslVerifyServerCert' is true.
altCommonNameToCheck = <string>
* Check the alternate name of the server's certificate against this name.
* If there is no match, assume that Splunk is not authenticated against this server.
* You must specify this setting if 'sslVerifyServerCert' is true.
outputs.conf.example
# Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 3.0 # # This file contains an example outputs.conf. Use this file to configure forwarding in a distributed # set up. # # To use one or more of these configurations, copy the configuration block into # outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. # Specify a target group for an IP:PORT which consists of a single receiver. # This is the simplest possible configuration; it sends data to the host at 10.1.1.197 on port 9997. [tcpout:group1] server=10.1.1.197:9997 # Specify a target group for a hostname which consists of a single receiver. [tcpout:group2] server=myhost.Splunk.com:9997 # Specify a target group made up of two receivers. In this case, the data will be # balanced (round-robin) between these two receivers. You can specify as many # receivers as you wish here. You can combine host name and IP if you wish. [tcpout:group3] server=myhost.Splunk.com:9997,10.1.1.197:6666 # You can override any of the global configuration values on a per-target group basis. # All target groups that do not override a global config will inherit the global config. # Send every event to a receiver at foo.Splunk.com:9997 and send heartbeats every # 45 seconds with a maximum queue size of 100,500 events. [tcpout:group4] server=foo.Splunk.com:9997 heartbeatFrequency=45 maxQueueSize=100500 # Set the hearbeat frequency to 15 for each group and clone the events to # groups indexer1 and indexer2. Also, index all this data locally as well. [tcpout] heartbeatFrequency=15 indexAndForward=true [tcpout:indexer1] server=Y.Y.Y.Y:9997 [tcpout:indexer2] server=X.X.X.X:6666 # Data balance between Y.Y.Y.Y and X.X.X.X. [tcpout:indexerGroup] server=Y.Y.Y.Y:9997, X.X.X.X:6666 # Clone events between two data balanced groups. [tcpout:indexer1] server=A.A.A.A:1111, B.B.B.B:2222 [tcpout:indexer2] server=C.C.C.C:3333, D.D.D.D:4444
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.