outputs.conf

outputs.conf

The following are the spec and example files for outputs.conf.

outputs.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5
#
# This file contains possible attributes and values for configuring outputs.conf. Configure 
# Splunk's data forwarding actions by creating your own outputs.conf.
#
# There is NO DEFAULT outputs.conf. To set custom configurations, place an outputs.conf 
# $SPLUNK_HOME/etc/system/local/.  For examples, see outputs.conf.example.
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#
# NOTE: Place outputs.conf on the forwarding side of any distributed Splunk deployment.
# To learn more about distributed configurations, see the documentation at 
# TODO: the article below does not exist in the latest documentation:
# http://www.splunk.com/doc/latest/admin/ForwardingReceiving


############
#----TCP Output-----
############
# These configurations will be used if they are not overwritten in specific target groups.
# All events that do not have target group metadata will be sent to this group.
# If there is more than one group specified, the events will be cloned to all listed.

[tcpout]
defaultGroup= Group1, Group2, ...
attribute1 = val1
attribute2 = val2
...

# TODO : Deprecate the feature below. Use syslog out.
#NOTE: This is not for typical use:
#This configuration item looks in the event for <key>.  If the event contains this
#this key, the value is prepended to the raw data that is sent out to the destination
#server.  Note that this ONLY works if 'sendCookedData = false'. The key/value pair
#and how it is derived is set in props.conf and transforms.conf.   
#Use case: appending <priority> to a syslog event which has been obtained by monitoring
#a syslog file and sending it out to a syslog server.
prependKeyToRaw = key

#This parameter is available only via the top level [tcpout] stanza, it can not be over
#-ridden in a target group:
indexAndForward = true | false
* In addition to other actions, index all this data locally as well as forwarding it.
* This is known as an index and forward configuration.
* Defaults to false.

#----TARGET GROUP CONFIGURATION-----

# You can have as many target groups as you wish.  
# If more than one is specified, the forwarder will clone every event into each target group.


[tcpout:$TARGET_GROUP]
server=$IP:$PORT, $IP2:$PORT2...
attribute1 = val1
attribute2 = val2
...

#----SINGLE SERVER CONFIGURATION-----

# You can define specific configurations for individual indexers here on a server by server
# basis.  However, you must include any single server in a target group or default group
# to send data to it.

[tcpout-server://$IP:$PORT]
attribute1 = val1
attribute2 = val2
...

#----OPTIONAL SETTINGS----		

# These attributes are optional.

sendCookedData = true | false
* If true, events are cooked (have been processed by Splunk and are not raw).
* If false, events are raw and untouched prior to sending.
* Set to false if you are sending to a third-party system.
* Defaults to true.

heartbeatFrequency = <integer>
* How often (in seconds) to send a heartbeat packet to the receiving server.
* Heartbeats are only sent if 'sendCookedData' is true.
* Defaults to 30 seconds.
	
blockOnCloning = true | false
* If true, TcpOutputProcessor blocks till at least one of the cloned group gets events. This will
  not drop events when all the cloned groups are down.
* If false, TcpOutputProcessor will drop events when all the cloned groups are down and Queues for
  the each cloned groups are full. When at least one of the cloned groups are up and Queues are not full,
  the event is not dropped.
* Defaults to true.
	

compressed = true | false
* Send compressed data? y/n?
* Defaults to false.
* If this is set to true, the receiver port should also have compression turned on.

#----QUEUE SETTINGS----		

maxQueueSize = <integer>
* The maximum number of queued events (queue size) on the forwarding server.
* Defaults to 1000.

dropEventsOnQueueFull = <integer>
* If set to a positive number N, wait N * 5 seconds before throwing out all new events until the queue has space.
* Setting this to -1 or 0 will set the queue to block when it gets full causing blocking up the processor chain.
* When any target group's queue is blocked, no more data will reach any other target group.
* Using load balanced groups is the best way to alleviate this condition because multiple 
    receivers must be down (or jammed up) before queue blocking occurs.
* Defaults to -1 (do not drop events).
* DO NOT SET THIS VALUE TO A POSITIVE INTEGER (true) IF YOU ARE MONITORING FILES!
	
#----BACKOFF SETTINGS when connecting to indexer----

# The settings in this section determine how forwarders should retry when an indexer
# becomes unavailable. 

backoffAtStartup = <integer>
* Set how long (in seconds) to wait until retrying the first time a retry is needed.
* Defaults to 5.

initialBackoff = <integer>
* Set how long (in seconds) to wait until retrying every time after the first retry.
* Defaults to 2.

maxNumberOfRetriesAtHighestBackoff = <integer>
* Specifies the number of times the system should retry after reaching the highest back-off 
period before stopping completely.
* -1 means to try forever.
* Splunk recommends that you not change this from the default, or the forwarder will completely 
stop forwarding to a downed URI at some point.
* Defaults to -1 (forever).

maxBackoff = <integer>
* Specifies the number of seconds before reaching the maximum backoff frequency.
* Defaults to 20.
   
#----BACKOFF SETTINGS when failure to send event to indexer----
# The settings in this section determine how forwarder should slow down when there
# is repeated failures in sending event to indexer.

maxFailuresPerInterval = <integer>
* Specifies the maximum number failures that is allowed per interval before backoff
  takes place. The interval is defined below.
* Defaults to 5.

secsInFailureInterval = <integer>
* Number of seconds in an interval. If number of write failure exceed maxFailuresPerInterval
  in the specified secsInFailureInterval seconds, forwarder sleeps for backoffOnFailure seconds.
* Defaults to 1.

backoffOnFailure = <integer>
* When failures exceed maxNumberOfRetriesAtHighestBackoff in secsInFailureInterval seconds,
  forwarder sleeps for backoffOnFailure seconds before attempting to send data.
* Defaults to 5.

disableBackoffOnFailure = true | false
* If set to true, it turns off backoff policy on sending failures. This does not affect
  backoff settings for connecting to indexer
* Defaults to false - Backoff policy active by default

#----Configuring which events are forwarded by index----
forwardedindex.<n>.whitelist = <regex>
forwardedindex.<n>.blacklist = <regex>
* This should not be changed normally. This controls which events are forwarded based
  on the indices they belong to.
* Ordered list of whilelist and blacklist which decide if an index should be forwarded.
  The order is determined by <n> and should start from 0 to any positive number. 
  There should not be any gap in the numbers between lowest and largest number. These
  filters can start from either whitelist or blacklist and are tested from 
  forwardedindex.0 to forwardedindex.<max>
* Please see $SPLUNK_HOME/system/default/outputs.conf for default setting.

forwardedindex.filter.disable = true | false
* Disables index filter on true. If disabled, all the indices are forwarded.
* Defaults to false.

#----Automatic Load-balancing of forwarders

autoLB = true | false
* If set to true, forwarder switches to automatic load balancing mode. In this mode, the
* forwarder selects a new indexer every autoLBFrequency randomly. If connection to indexer
* is lost at any point, it selects a new live indexer and forwards data to it.
* If this flag is not present, forwarder uses load balancing with round robin strategy.
* Defaults to false.

autoLBFrequency = <seconds>
* This is used in automatic load balancing mode. Every autoLBFrequency a new indexer is
* selected randomly from list of indexers provided in server parameter
* Defaults to 30 seconds.

#----SSL SETTINGS----

# To set up SSL on the forwarder, set the following attribute/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver that must be 
# certified.

sslPassword = <password>
* The password associated with the CAcert.
* The default splunk CAcert uses the password "password".
* There is no default value.

sslCertPath = <path>
* If specified, this connection will use SSL.  
* This is the path to the client certificate.
* There is no default value.

sslRootCAPath = <path>
* The path to the root certificate authority file (optional).
* TODO: default = ?

sslVerifyServerCert = true | false
* If true, make sure that the server you are connecting to is a valid one (authenticated).  
* Both the common name and the alternate name of the server are then checked for a match.
* Defaults to false.

sslCommonNameToCheck = <string>
* Check the common name of the server's certificate against this name.
* If there is no match, assume that Splunk is not authenticated against this server.  
* You must specify this setting if 'sslVerifyServerCert' is true.

altCommonNameToCheck = <string>
* Check the alternate name of the server's certificate against this name.
* If there is no match, assume that Splunk is not authenticated against this server.  
* You must specify this setting if 'sslVerifyServerCert' is true.

############
#----Syslog output----
############
# The following configuration is used to send output using syslog 

[syslog]
defaultGroup = Group1, Group2, ...

[syslog:$TARGET_GROUP]
attribute1 = val1
attribute2 = val2
...
	
#----REQUIRED SETTINGS----		
# Required settings for syslog output:

server = ip/servername:<port>
* IP or servername where syslog server is running
* Port on which syslog server is listening.
* There is no default value. You must specify a port. Syslog, by default, uses 514.

#----OPTIONAL SETTINGS----		

# Optional settings for syslog output:

type = tcp | udp
* Protocol used. If type is not specified, default is udp.

priority = <ddd>
* ddd is value that will appear as <ddd> in the syslog header
* Users should compute ddd as (<facility> * 8) + <severity>
* If facility is 4(security/authorization messages) and severity is 2 (Critical: critical 
conditions), priority value will be 34 = (4 * 8) + 2.
* TODO: default = ?

syslogSourceType = <string>
* string representing sourceType for syslog.
* In absense of this atrribute, "sourcetype::syslog" is assumed as the source type for syslog message

timestampformat = <%b %e %H:%M:%S>
* If specified, the format is used when adding timestamp into header
* TODO: default = ?

#---- Routing data to syslog server -----
To route data to syslog server:
1) First, decide which events to route to which servers.
2) Then, edit the props.conf, transforms.conf, and outputs.conf files on the forwarding servers.

Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing attribute as shown below
[<spec>]
TRANSFORMS-routing=$UNIQUE_STANZA_NAME

<spec> can be: 
<sourcetype>, the sourcetype of an event 
host::<host>, where <host> is the host for an event 
source::<source>, where <source> is the source for an event 

Use the $UNIQUE_STANZA_NAME when creating your entry in transforms.conf

Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza 
[$UNIQUE_STANZA_NAME]
REGEX=$YOUR_REGEX
DEST_KEY=_SYSLOG_ROUTING
FORMAT=$UNIQUE_GROUP_NAME

$UNIQUE_STANZA_NAME must match the name you created in props.conf. 
Enter the regex rules in $YOUR_REGEX to determine which events get conditionally routed. 
DEST_KEY should be set to _SYSLOG_ROUTING to send events via SYSLOG 
Set FORMAT to $UNIQUE_GROUP_NAME. This should match the syslog group name you create in outputs.conf

############
#----HTTP output----
############
# The following configuration is used to send output via http:

[httpoutput]
defaultGroup = Group1, Group2, ...

[httpoutput:$TARGET_GROUP]
attribute1 = val1
attribute2 = val2
...

#----REQUIRED SETTINGS----		

# Required settings for HTTP output:

username = <username>
* username used to authenticate against splunk indexer

password = <password>
* password used to authenticate against splunk indexer

server = ip/servername:port
* ip/servername of splunk receiver
* port that splunk receiver is listening on

#----OPTIONAL SETTINGS----		

# Optional settings for HTTP output:

ssl = true | false
* Set SSL for HTTP output.
* Defaults to true.

#---- Routing data to splunk instance with http -----
To route data to splunk server:
1) First, decide which events to route to which servers.
2) Then, edit the props.conf, transforms.conf, and outputs.conf files on the forwarding servers.

Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing attribute as shown below
[<spec>]
TRANSFORMS-routing=$UNIQUE_STANZA_NAME

<spec> can be: 
<sourcetype>, the sourcetype of an event 
host::<host>, where <host> is the host for an event 
source::<source>, where <source> is the source for an event 

Use the $UNIQUE_STANZA_NAME when creating your entry in transforms.conf

Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza 
[$UNIQUE_STANZA_NAME]
REGEX=$YOUR_REGEX
DEST_KEY=_HTTP_ROUTING
FORMAT=$UNIQUE_GROUP_NAME

$UNIQUE_STANZA_NAME must match the name you created in props.conf. 
Enter the regex rules in $YOUR_REGEX to determine which events get conditionally routed. 
DEST_KEY should be set to _HTTP_ROUTING to send events via HTTP 
Set FORMAT to $UNIQUE_GROUP_NAME. This should match the syslog group name you create in outputs.conf

############
#----Index And Forward-----
############
# IndexAndForward processor is used to determine the default behavior for indexing data
# When forwarders(tcpout, httpoutput) are configured, it turns 'index' to 'false'.
# When forwarders are not configured, 'index' is set to 'true'.
#
# If tcpout stanza is configured with 'indexAndForward', then value of 'index' is
# set to value of 'indexAndForward'.
#
# The setting of 'index' can be overridden in [indexAndForward] stanza which supercedes
# the values determined earlier.

[indexAndForward]
index = true | false
* If set to true, data is indexed.
* If set to false, data is not indexed.

outputs.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
#
# This file contains an example outputs.conf.  Use this file to configure forwarding in a distributed
# set up.
#
# To use one or more of these configurations, copy the configuration block into
# outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles


# Specify a target group for an IP:PORT which consists of a single receiver.
# This is the simplest possible configuration; it sends data to the host at 10.1.1.197 on port 9997.

[tcpout:group1]
server=10.1.1.197:9997


# Specify a target group for a hostname which consists of a single receiver.

[tcpout:group2]
server=myhost.Splunk.com:9997


# Specify a target group made up of two receivers.  In this case, the data will be
# balanced (round-robin) between these two receivers.  You can specify as many
# receivers as you wish here. You can combine host name and IP if you wish.
# NOTE: Do not use this configuration with SplunkLightForwarder.

[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666


# You can override any of the global configuration values on a per-target group basis.
# All target groups that do not override a global config will inherit the global config.

# Send every event to a receiver at foo.Splunk.com:9997 and send heartbeats every
# 45 seconds with a maximum queue size of 100,500 events.

[tcpout:group4]
server=foo.Splunk.com:9997
heartbeatFrequency=45
maxQueueSize=100500


# Set the hearbeat frequency to 15 for each group and clone the events to 
# groups indexer1 and indexer2.  Also, index all this data locally as well.

[tcpout]
heartbeatFrequency=15
indexAndForward=true

[tcpout:indexer1]
server=Y.Y.Y.Y:9997

[tcpout:indexer2]
server=X.X.X.X:6666



# Round-Robin data balance between Y.Y.Y.Y and X.X.X.X.

[tcpout:indexerGroup]
server=Y.Y.Y.Y:9997, X.X.X.X:6666


# Clone events between two data balanced groups.

[tcpout:indexer1]
server=A.A.A.A:1111, B.B.B.B:2222

[tcpout:indexer2]
server=C.C.C.C:3333, D.D.D.D:4444

# Syslout output configuration
# This example sends only events generated by the splunk daemon to a remote
# syslog host:

[syslog:syslog-out1]
disabled = false
server = X.X.X.X:9099
type = tcp
priority = 34
timestampformat = %b %e %H:%M:%S

# HTTP Output configuration

[httpoutput:httpout1]
server=indexer1:8089
ssl = true
username=admin
password=changeme


# New in 4.0: Auto Load Balancing
#
# This example balances output between two indexers running on
# 1.2.3.4:4433 and 1.2.4.5:4433.
# To achive this you'd create a DNS entry for splunkLB pointing
# to the two IP addresses of your indexers:
#
#   $ORIGIN example.com.
#   splunkLB A 1.2.3.4
#   splunkLB A 1.2.3.5

[tcpout]
defaultGroup = lb

[tcpout:lb]
server = splunkLB.example.com:4433
autoLB = true

# Alternatively, you can autoLB sans DNS:

[tcpout]
defaultGroup = lb

[tcpout:lb]
server = 1.2.3.4:4433, 1.2.3.5:4433
autoLB = true


# Compression
#
# This example sends compressed events to the remote indexer.
# NOTE: Compression can be enabled TCP or SSL outputs only.
# The receiver input port should also have compression enabled.

[tcpout]
server = splunkServer.example.com:4433
compressed = true


# SSL
#
# This example sends events to an indexer via SSL using splunk's
# self signed cert:

[tcpout]
server = splunkServer.example.com:4433
sslPassword = password 
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem

#
# The following example shows how to route events to syslog server
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#
1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing attribute:
[default]
TRANSFORMS-routing=errorRouting

[syslog]
TRANSFORMS-routing=syslogRouting

2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting and syslogRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_SYSLOG_ROUTING
FORMAT=errorGroup

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog outputs go to with servers or groups: 
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

#
# The following example shows how to route events to splunk instance using http
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#
1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing attribute:
[default]
TRANSFORMS-routing=errorRouting

[syslog]
TRANSFORMS-routing=httpRouting

2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting and httpRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_HTTP_ROUTING
FORMAT=errorGroup

[httpRouting]
REGEX=.
DEST_KEY=_HTTP_ROUTING
FORMAT=httpGroup

3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which http outputs go to with servers or groups: 
[httpoutput]
defaultGroup=everythingElseGroup

[httpoutput:httpGroup]
server=10.1.1.197:8089
ssl = true
username=admin
password=changeme

[httpoutput:errorGroup]
server=10.1.1.200:8089
ssl = true
username=admin
password=changeme

[httpoutput:everythingElseGroup]
server=10.1.1.250:8089
ssl = true
username=admin
password=changeme

• Was this topic useful?
• Post a comment