A splunk engineer told us to deploy an app with the deployment server (to universal forwarders) that contained the outputs.conf file. the problem is that even with this app deployed running btool still shows that the config is being taken from system/local/outputs.conf --which is what I expected based on the documents from Splunk....maybe he was confused....
Anyway the real problem is I don't understand the correlation between a few values in outputs.conf
[target-broker:deploymentServer]
targetUri = clustermaster:8089
[tcpout]
defaultGroup=my_indexers
[tcpout: my_indexers]
server=1.1.1.1:9997,1.1.1.2:9997
[tcpout-server://1.1.1.1:9997]
[tcpout: my_LB_indexers]
autoLBFrequency=30
server=1.1.1.1:9997,1.1.1.2:9997,1.1.1.3:9997
useACK=true
After reading the outputs.conf documentation on Splunk I'm confused about a few things:
1) What is the result of the above config? Does the default group attribute mean that it will never send to the my_LB_indexers group? Or does the universal forwarder always send to all output groups? Since duplicate values exist would it still only send to each one once?
2) is the single server stanza even needed? I saw one splunk document that said it was optional and another that said it's always needed.
3) If the config makes it only send to my_indexers, does it ever fail over to another group if the my_indexers group becomes unavailable?
↧