Hi guys,
We have a Heavy Forwarder that is taking logs from a number of servers in a remote site. This forwarder needs to forward the logs to a cluster of Indexers, but their location depends on the IP/Hostname of the server that sent in the log. This is our setup:
**props.conf**
[host::(10.1.1.10|10.1.1.11|10.1.1.12|10.1.1.13|10.1.1.14|10.1.1.15)]
TRANSFORMS-redirect1 = send_to_group1
[host::(10.2.1.10|10.2.1.11|10.2.1.12|10.2.1.13|10.2.1.14|10.2.1.15)]
TRANSFORMS-redirect2 = send_to_group2
**transforms.comf**
[send_to_group1]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT = autolb-group1
[send_to_group2]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT = autolb-group2
**outputs.conf**
[tcpout]
indexAndForward = false
[tcpout:autolb-group1]
disabled = false
server = 10.3.1.10:9997
[tcpout:autolb-group2]
disabled = false
server = 10.4.1.10:9997
From a look at netstat, I can see the forwarder is connected to both groups of indexers (and clients are connected to the HF), however, logs only ever make it to the indexers defined in group1 (autolb-group1). Any ideas if we are missing something to make the forwarder never use group2?
Any help is greatly appreciated!
Cheers.
↧