Configure forwarders with outputs.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure forwarders with outputs.conf
The outputs.conf file is unique to forwarders. It defines the forwarder configuration. Except for a few basic configurations available through Splunk Web or the CLI, all forwarder configuration takes place through outputs.conf. The topics describing various topologies, such as load balancing and data routing, provide detailed examples on configuring outputs.conf.
Note: Although outputs.conf is the critical file for configuring forwarders, it specifically addresses the outputs from the forwarder. To specify the inputs to a forwarder, you must configure the inputs separately, as you would for any other Splunk instance. For details on configuring inputs, see Add data and configure inputs in this manual.
Create and modify outputs.conf
There is no default outputs.conf file. When you enable a forwarder through Splunk Web or the CLI, Splunk creates an outputs.conf file in the directory of the currently running app. For example, if you're working in the search app, Splunk places the file in $SPLUNK_HOME/etc/apps/search/local/. You can then edit it there.
To enable and configure a forwarder without using Splunk Web or the CLI, create an outputs.conf file and place it in this directory: $SPLUNK_HOME/etc/system/local/.
A single forwarder can have multiple outputs.conf files (for instance, one located in an apps directory and another in /system/local). To understand how to manage multiple outputs.conf files, see Configuration file precedence in this manual. No matter where the outputs.conf file resides, it acts globally on the forwarder (bearing in mind the issue of location precedence, as described in Configuration file precedence). For purposes of distribution and management simplicity, you might prefer to maintain just a single outputs.conf file, keeping it resident in the /system/local directory.
After making changes to outputs.conf, you must restart the forwarder for the changes to take effect.
See outputs.conf.spec and outputs.conf.example in $SPLUNK_HOME/etc/system/README/ for guidance and a template to use when creating or modifying outputs.conf.
Configuration levels
You can configure output processors at three levels of stanzas:
- Global. Here, you specify default target groups, as well as certain settings only configurable at the system-wide level for the output processor.
- Target group. A target group defines settings for one or more receivers. There can be one or more target groups per output processor. Most configuration settings can be specified at the target group level.
- Single server. You can specify configuration values for single servers (receivers) within a target group. This stanza type is optional.
Configurations at the more specific level take precedence. For example, if you specify compressed=true for a single receiver, the forwarder will send that receiver compressed data, even if compressed is set to "false" for the receiver's target group.
Target groups
A target group allows you to configure where and how Splunk will send data. Target groups do not control which events will be forwarded. For tcpout routing, events will be sent to all defined tcpout target groups by default, unless defaultGroup is set.
Here's the basic pattern for the target group stanza:
[<output_processor>:<target_group>] server=<server1>, <server2>, ... <attribute1> = <val1> <attribute2> = <val2> ...
Available output processors are tcpout, syslog, and httpout.
To specify a server in a target group, use the format <ipaddress_or_servername>:<port>. For example, myhost.Splunk.com:9997.
To perform load balancing, you specify a target group with multiple receivers.
To perform cloning, you specify multiple target groups.
Note: For syslog and other output types, you must explicitly specify routing as described here: Route and filter data.
Set defaultGroup
You must include the defaultGroup attribute in your [tcpout] stanza:
[tcpout] defaultGroup= <group1>, <group2>, ...
The defaultGroup specifies one or more target groups, defined later in tcpout:<target_group> stanzas. The forwarder will send all events to the specified defaultGroups.
If you do not want to forward data automatically, you can set "defaultGroup" to a non-existent target group name (for example, "nothing").
Example
The following outputs.conf example contains three stanzas for sending tcpout to other Splunk receivers:
- Global settings. In this example, there are two settings: one to specify a defaultGroup, and another to enable local indexing as well as forwarding.
- Settings for a single target group consisting of two receivers. Here, we are specifying automatic load balancing between the two servers. See Set up load balancing in this manual for a detailed description of load balancing. We are also stipulating that the forwarder send the data in compressed form to the targeted receivers.
- Settings for one receiver within the target group. This stanza turns off compression for this particular receiver. The server-specific value for "compressed" takes precedence over the value set at the target group level.
[tcpout] defaultGroup=my_indexers indexAndForward=true [tcpout:my_indexers] autoLB=true compressed=true server=mysplunk_indexer1:9997, mysplunk_indexer2:9996 [tcpout-server://mysplunk_indexer1:9997] compressed=false
Forwarding attributes
The outputs.conf file provides a large number of configuration options that offer considerable control and flexibility in forwarding. Of the attributes available, several are of particular interest:
| Attribute | Default | Value |
|---|---|---|
| server | n/a | Required. Specifies the server(s) that will function as receivers for the forwarder. Configured at the target group level. This must be in the format <ipaddress_or_servername>:<port>.
|
| defaultGroup | n/a | Required for [tcpout]. A comma-separated list of one or more target groups. Sends all events to all specified target groups. Set this toa non-existent group name, if you dont' want events automatically forwarded to a target group. Configurable only at the global level.
|
| disabled | false | Specifies whether the stanza is disabled. If set to "true", it is equivalent to the stanza not being there. |
| indexAndForward | false | Specifies whether data should be indexed and stored locally, as well as forwarded. It can be specified only at the global level. This setting is not available for light forwarders. |
| sendCookedData | true | Specifies whether data is cooked before forwarding. |
| compressed | false | Specifies whether the forwarder sends compressed data. |
| maxQueueSize | 1000 | Specifies the maximum number of events queued on the forwarder. |
| autoLB | false | Specifies load balancing. |
| ssl.... | n/a | Set of attributes for configuring SSL. See "Use SSL to encrypt and authenticate data from forwarders" for information on how to use these attributes. |
The outputs.conf.spec file provides details, including the default settings, for these and all other configuration options. In addition, most of these settings are discussed in topics dealing with specific forwarding scenarios.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.