I have Splunk Enterprise local instance running and consuming logs from Splunk java SDK
loginArgs.put("sourcetype", "echologs");
var receiver = splunkService.getReceiver();
...
String data = LocalDateTime.now() + " and " + generatedString;
receiver.log("custom_index", loginArgs, data);
So when I have output.conf file like the following:
outputs.conf
[httpout:splunk_api]
uri = https://localhost:8089
It works fine. The problem. I need not only be able to see these logs in Splunk, but to redirect them in parallel into tcpout direction where I am cunsuming them with my application code on the opened socket.
outputs.conf
[tcpout]
defaultGroup = my_java_socket
[tcpout:my_java_socket]
server = 127.0.0.1:9000
and it works fine alone.
But the following config is not working and I cannot find a reason.
[httpout:splunk_api]
uri = https://localhost:8089
[tcpout]
defaultGroup = my_java_socket
[tcpout:my_java_socket]
server = 127.0.0.1:9000
In the above example I am receiving logs only via socket. Nothing is displayd in splunk.
Thanks :)
I've tried to debugging with splunk btool check --debug internal splunk command. I've tried different combinations of outputs.conf files. I've tried to find something related in the Splunk Web as well.
I've tried to find the answer on the Splunk community forum as well.
Splunk can send via TCP or HTTP, but not both at the same time.