# Version 9.2.2.20240415 # # This file contains an example outputs.conf. Use this file to configure # forwarding in a distributed set up. # # To use one or more of these configurations, copy the configuration block into # outputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # Specify a target group for an IP:PORT which consists of a single receiver. # This is the simplest possible configuration; it sends data to the host at # 10.1.1.197 on port 9997. [tcpout:group1] server=10.1.1.197:9997 # Specify a target group for a hostname which consists of a single receiver. [tcpout:group2] server=myhost.Splunk.com:9997 # Specify a target group made up of two receivers. In this case, the data will # be distributed using AutoLB between these two receivers. You can specify as # many receivers as you wish here. You can combine host name and IP if you # wish. # NOTE: Do not use this configuration with SplunkLightForwarder. [tcpout:group3] server=myhost.Splunk.com:9997,10.1.1.197:6666 # You can override any of the global configuration values on a per-target group # basis. All target groups that do not override a global config will inherit # the global config. # Send every event to a receiver at foo.Splunk.com:9997 with a maximum queue # size of 100,500 events. [tcpout:group4] server=foo.Splunk.com:9997 heartbeatFrequency=45 maxQueueSize=100500 # Send data to a receiving system that controls access by tokens. # NOTE: token value is encrypted. Encryption is done by REST endpoint while saving. [tcpout:group4] server=foo.Splunk.com:9997 token=$1$/fRSBT+2APNAyCB7tlcgOyLnAtqAQFC8NI4TGA2wX4JHfN5d9g== # Clone events to groups indexer1 and indexer2. Also, index all this data # locally as well. [tcpout] indexAndForward=true [tcpout:indexer1] server=Y.Y.Y.Y:9997 [tcpout:indexer2] server=X.X.X.X:6666 # Clone events between two data balanced groups. [tcpout:indexer1] server=A.A.A.A:1111, B.B.B.B:2222 [tcpout:indexer2] server=C.C.C.C:3333, D.D.D.D:4444 # Syslout output configuration # This example sends only events generated by the splunk daemon to a remote # syslog host in syslog-compliant format: [syslog:syslog-out1] disabled = false server = X.X.X.X:9099 type = tcp priority = <34> timestampformat = %b %e %H:%M:%S # Auto Load Balancing # This example balances output between two indexers listening on # port 4433: 192.0.2.100:4433 and 192.0.2.101:4433. # To achieve this you'd create a DNS entry for 'splunkLB' pointing # to the two IP addresses of your indexers: # # $ORIGIN example.com. # splunkLB A 192.0.2.100 # splunkLB A 192.0.2.101 [tcpout] defaultGroup = lb [tcpout:lb] server = splunkLB.example.com:4433 # Alternatively, you can use autoLB directly without DNS: [tcpout] defaultGroup = lb [tcpout:lb] server = 192.0.2.100:4433, 192.0.2.101:4433 # Compression # # This example sends compressed events to the remote indexer. # If set to "true", you do not need to set the 'compressed' setting to "true" in the inputs.conf file on the receiver for compression of data to occur. # This setting applies to non-SSL forwarding only. For SSL forwarding with compression, Splunk software uses the 'useClientSSLCompression' setting. [tcpout] server = splunkServer.example.com:4433 compressed = true # SSL # # This example sends events to an indexer via SSL using splunk's # self signed cert: [tcpout] server = splunkServer.example.com:4433 sslPassword = password clientCert = $SPLUNK_HOME/etc/auth/server.pem # # The following example shows how to route events to syslog server # This is similar to tcpout routing, but DEST_KEY is set to _SYSLOG_ROUTING # # 1. Edit $SPLUNK_HOME/etc/system/local/props.conf and set a TRANSFORMS-routing # attribute: [default] TRANSFORMS-routing=errorRouting [syslog] TRANSFORMS-routing=syslogRouting # 2. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set errorRouting # and syslogRouting rules: [errorRouting] REGEX=error DEST_KEY=_SYSLOG_ROUTING FORMAT=errorGroup [syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup # 3. Edit $SPLUNK_HOME/etc/system/local/outputs.conf and set which syslog # outputs go to with servers or groups: [syslog] defaultGroup=everythingElseGroup [syslog:syslogGroup] server = 10.1.1.197:9997 [syslog:errorGroup] server=10.1.1.200:9999 [syslog:everythingElseGroup] server=10.1.1.250:6666 # # Perform selective indexing and forwarding # # Using a heavy forwarder, you can index and store data locally, and # forward the data out to a receiving indexer. In the example, by # setting the defaultGroup to a non-existent group named "noforward", # the forwarder only forwards data that has been routed using explicit # target groups defined in the inputs.conf # 1. In outputs.conf: [tcpout] defaultGroup = noforward [indexAndForward] index=true selectiveIndexing=true [tcpout:indexers] server = 10.1.1.197:9997, 10.1.1.200:9997 # 2. In inputs.conf, add _INDEX_AND_FORWARD_ROUTING to the input stanza for any data that you want to index locally, or _TCP_ROUTING= for data to be forwarded. [monitor:///var/log/messages/] _INDEX_AND_FORWARD_ROUTING=local [monitor:///var/log/httpd/] _TCP_ROUTING=indexers # Output to S3 for Ingest Actions # For example, sending to an AWS bucket "buttercup-bucket", with a prefix # in front of all paths "some-prefix", along with encryption using AWS # SSE-S3 to the us-west-2 region: [rfs:s3] path = s3://buttercup-bucket/some-prefix remote.s3.encryption = sse-s3 remote.s3.endpoint = https://s3.us-west-2.amazonaws.com remote.s3.signature_version = v4 remote.s3.supports_versioning = false remote.s3.access_key = remote.s3.secret_key =