Splunk_Docker/files/splunk-etc/system/README/outputs.conf.example

#   Version 9.2.2.20240415
#
# This file contains an example outputs.conf.  Use this file to configure
# forwarding in a distributed set up.
#
# To use one or more of these configurations, copy the configuration block into
# outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles


# Specify a target group for an IP:PORT which consists of a single receiver.
# This is the simplest possible configuration; it sends data to the host at
# 10.1.1.197 on port 9997.

[tcpout:group1]
server=10.1.1.197:9997


# Specify a target group for a hostname which consists of a single receiver.

[tcpout:group2]
server=myhost.Splunk.com:9997


# Specify a target group made up of two receivers.  In this case, the data will
# be distributed using AutoLB between these two receivers.  You can specify as
# many receivers as you wish here. You can combine host name and IP if you
# wish.
# NOTE: Do not use this configuration with SplunkLightForwarder.

[tcpout:group3]
server=myhost.Splunk.com:9997,10.1.1.197:6666


# You can override any of the global configuration values on a per-target group
# basis.  All target groups that do not override a global config will inherit
# the global config.

# Send every event to a receiver at foo.Splunk.com:9997 with a maximum queue
# size of 100,500 events.

[tcpout:group4]
server=foo.Splunk.com:9997
heartbeatFrequency=45
maxQueueSize=100500

# Send data to a receiving system that controls access by tokens.
# NOTE: token value is encrypted. Encryption is done by REST endpoint while saving.
[tcpout:group4]
server=foo.Splunk.com:9997
token=$1$/fRSBT+2APNAyCB7tlcgOyLnAtqAQFC8NI4TGA2wX4JHfN5d9g==

# Clone events to groups indexer1 and indexer2. Also, index all this data
# locally as well.

[tcpout]
indexAndForward=true

[tcpout:indexer1]
server=Y.Y.Y.Y:9997

[tcpout:indexer2]
server=X.X.X.X:6666


# Clone events between two data balanced groups.

[tcpout:indexer1]
server=A.A.A.A:1111, B.B.B.B:2222

[tcpout:indexer2]
server=C.C.C.C:3333, D.D.D.D:4444

# Syslout output configuration
# This example sends only events generated by the splunk daemon to a remote
# syslog host in syslog-compliant format:

[syslog:syslog-out1]
disabled = false
server = X.X.X.X:9099
type = tcp
priority = <34>
timestampformat = %b %e %H:%M:%S


# Auto Load Balancing
# This example balances output between two indexers listening on
# port 4433: 192.0.2.100:4433 and 192.0.2.101:4433.
# To achieve this you'd create a DNS entry for 'splunkLB' pointing
# to the two IP addresses of your indexers:
#
#   $ORIGIN example.com.
#   splunkLB A 192.0.2.100
#   splunkLB A 192.0.2.101

[tcpout]
defaultGroup = lb

[tcpout:lb]
server = splunkLB.example.com:4433

# Alternatively, you can use autoLB directly without DNS:

[tcpout]
defaultGroup = lb

[tcpout:lb]
server = 192.0.2.100:4433, 192.0.2.101:4433


# Compression
#
# This example sends compressed events to the remote indexer.
# If set to "true", you do not need to set the 'compressed' setting to 
  "true" in the inputs.conf file on the receiver for compression
  of data to occur.
# This setting applies to non-SSL forwarding only. For SSL forwarding with
  compression, Splunk software uses the 'useClientSSLCompression' setting.

[tcpout]
server = splunkServer.example.com:4433
compressed = true


# SSL
#
# This example sends events to an indexer via SSL using splunk's
# self signed cert:

[tcpout]
server = splunkServer.example.com:4433
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem

#
# The following example shows how to route events to syslog server
# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING
#

# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing
#    attribute:
[default]
TRANSFORMS-routing=errorRouting

[syslog]
TRANSFORMS-routing=syslogRouting

# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting
#    and syslogRouting rules:
[errorRouting]
REGEX=error
DEST_KEY=_SYSLOG_ROUTING
FORMAT=errorGroup

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog
#    outputs go to with servers or groups:
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

#
# Perform selective indexing and forwarding
#
# Using a heavy forwarder, you can index and store data locally, and
# forward the data out to a receiving indexer. In the example, by 
# setting the defaultGroup to a non-existent group named "noforward", 
# the forwarder only forwards data that has been routed using explicit 
# target groups defined in the inputs.conf


# 1. In outputs.conf:
[tcpout]
defaultGroup = noforward

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

# 2. In inputs.conf, add _INDEX_AND_FORWARD_ROUTING to the input 
 stanza for any data that you want to index locally, or 
_TCP_ROUTING=<target_group> for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers

# Output to S3 for Ingest Actions

# For example, sending to an AWS bucket "buttercup-bucket", with a prefix
# in front of all paths "some-prefix", along with encryption using AWS
# SSE-S3 to the us-west-2 region:

[rfs:s3]
path = s3://buttercup-bucket/some-prefix
remote.s3.encryption = sse-s3
remote.s3.endpoint = https://s3.us-west-2.amazonaws.com
remote.s3.signature_version = v4
remote.s3.supports_versioning = false
remote.s3.access_key = <access key here>
remote.s3.secret_key = <secret key here>
Inital Commit 5 months ago			`# Version 9.2.2.20240415`
			`#`
			`# This file contains an example outputs.conf. Use this file to configure`
			`# forwarding in a distributed set up.`
			`#`
			`# To use one or more of these configurations, copy the configuration block into`
			`# outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to`
			`# enable configurations.`
			`#`
			`# To learn more about configuration files (including precedence) please see the`
			`# documentation located at`
			`# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles`


			`# Specify a target group for an IP:PORT which consists of a single receiver.`
			`# This is the simplest possible configuration; it sends data to the host at`
			`# 10.1.1.197 on port 9997.`

			`[tcpout:group1]`
			`server=10.1.1.197:9997`


			`# Specify a target group for a hostname which consists of a single receiver.`

			`[tcpout:group2]`
			`server=myhost.Splunk.com:9997`


			`# Specify a target group made up of two receivers. In this case, the data will`
			`# be distributed using AutoLB between these two receivers. You can specify as`
			`# many receivers as you wish here. You can combine host name and IP if you`
			`# wish.`
			`# NOTE: Do not use this configuration with SplunkLightForwarder.`

			`[tcpout:group3]`
			`server=myhost.Splunk.com:9997,10.1.1.197:6666`


			`# You can override any of the global configuration values on a per-target group`
			`# basis. All target groups that do not override a global config will inherit`
			`# the global config.`

			`# Send every event to a receiver at foo.Splunk.com:9997 with a maximum queue`
			`# size of 100,500 events.`

			`[tcpout:group4]`
			`server=foo.Splunk.com:9997`
			`heartbeatFrequency=45`
			`maxQueueSize=100500`

			`# Send data to a receiving system that controls access by tokens.`
			`# NOTE: token value is encrypted. Encryption is done by REST endpoint while saving.`
			`[tcpout:group4]`
			`server=foo.Splunk.com:9997`
			`token=$1$/fRSBT+2APNAyCB7tlcgOyLnAtqAQFC8NI4TGA2wX4JHfN5d9g==`

			`# Clone events to groups indexer1 and indexer2. Also, index all this data`
			`# locally as well.`

			`[tcpout]`
			`indexAndForward=true`

			`[tcpout:indexer1]`
			`server=Y.Y.Y.Y:9997`

			`[tcpout:indexer2]`
			`server=X.X.X.X:6666`


			`# Clone events between two data balanced groups.`

			`[tcpout:indexer1]`
			`server=A.A.A.A:1111, B.B.B.B:2222`

			`[tcpout:indexer2]`
			`server=C.C.C.C:3333, D.D.D.D:4444`

			`# Syslout output configuration`
			`# This example sends only events generated by the splunk daemon to a remote`
			`# syslog host in syslog-compliant format:`

			`[syslog:syslog-out1]`
			`disabled = false`
			`server = X.X.X.X:9099`
			`type = tcp`
			`priority = <34>`
			`timestampformat = %b %e %H:%M:%S`


			`# Auto Load Balancing`
			`# This example balances output between two indexers listening on`
			`# port 4433: 192.0.2.100:4433 and 192.0.2.101:4433.`
			`# To achieve this you'd create a DNS entry for 'splunkLB' pointing`
			`# to the two IP addresses of your indexers:`
			`#`
			`# $ORIGIN example.com.`
			`# splunkLB A 192.0.2.100`
			`# splunkLB A 192.0.2.101`

			`[tcpout]`
			`defaultGroup = lb`

			`[tcpout:lb]`
			`server = splunkLB.example.com:4433`

			`# Alternatively, you can use autoLB directly without DNS:`

			`[tcpout]`
			`defaultGroup = lb`

			`[tcpout:lb]`
			`server = 192.0.2.100:4433, 192.0.2.101:4433`


			`# Compression`
			`#`
			`# This example sends compressed events to the remote indexer.`
			`# If set to "true", you do not need to set the 'compressed' setting to`
			`"true" in the inputs.conf file on the receiver for compression`
			`of data to occur.`
			`# This setting applies to non-SSL forwarding only. For SSL forwarding with`
			`compression, Splunk software uses the 'useClientSSLCompression' setting.`

			`[tcpout]`
			`server = splunkServer.example.com:4433`
			`compressed = true`


			`# SSL`
			`#`
			`# This example sends events to an indexer via SSL using splunk's`
			`# self signed cert:`

			`[tcpout]`
			`server = splunkServer.example.com:4433`
			`sslPassword = password`
			`clientCert = $SPLUNK_HOME/etc/auth/server.pem`

			`#`
			`# The following example shows how to route events to syslog server`
			`# This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING`
			`#`

			`# 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing`
			`# attribute:`
			`[default]`
			`TRANSFORMS-routing=errorRouting`

			`[syslog]`
			`TRANSFORMS-routing=syslogRouting`

			`# 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting`
			`# and syslogRouting rules:`
			`[errorRouting]`
			`REGEX=error`
			`DEST_KEY=_SYSLOG_ROUTING`
			`FORMAT=errorGroup`

			`[syslogRouting]`
			`REGEX=.`
			`DEST_KEY=_SYSLOG_ROUTING`
			`FORMAT=syslogGroup`

			`# 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog`
			`# outputs go to with servers or groups:`
			`[syslog]`
			`defaultGroup=everythingElseGroup`

			`[syslog:syslogGroup]`
			`server = 10.1.1.197:9997`

			`[syslog:errorGroup]`
			`server=10.1.1.200:9999`

			`[syslog:everythingElseGroup]`
			`server=10.1.1.250:6666`

			`#`
			`# Perform selective indexing and forwarding`
			`#`
			`# Using a heavy forwarder, you can index and store data locally, and`
			`# forward the data out to a receiving indexer. In the example, by`
			`# setting the defaultGroup to a non-existent group named "noforward",`
			`# the forwarder only forwards data that has been routed using explicit`
			`# target groups defined in the inputs.conf`


			`# 1. In outputs.conf:`
			`[tcpout]`
			`defaultGroup = noforward`

			`[indexAndForward]`
			`index=true`
			`selectiveIndexing=true`

			`[tcpout:indexers]`
			`server = 10.1.1.197:9997, 10.1.1.200:9997`

			`# 2. In inputs.conf, add _INDEX_AND_FORWARD_ROUTING to the input`
			`stanza for any data that you want to index locally, or`
			`_TCP_ROUTING=<target_group> for data to be forwarded.`

			`[monitor:///var/log/messages/]`
			`_INDEX_AND_FORWARD_ROUTING=local`

			`[monitor:///var/log/httpd/]`
			`_TCP_ROUTING=indexers`

			`# Output to S3 for Ingest Actions`

			`# For example, sending to an AWS bucket "buttercup-bucket", with a prefix`
			`# in front of all paths "some-prefix", along with encryption using AWS`
			`# SSE-S3 to the us-west-2 region:`

			`[rfs:s3]`
			`path = s3://buttercup-bucket/some-prefix`
			`remote.s3.encryption = sse-s3`
			`remote.s3.endpoint = https://s3.us-west-2.amazonaws.com`
			`remote.s3.signature_version = v4`
			`remote.s3.supports_versioning = false`
			`remote.s3.access_key = <access key here>`
			`remote.s3.secret_key = <secret key here>`