Create an NFS file system destination

To write events to an NFS file system destination, select a preconfigured file system destination when you configure the "Route to Destination" rule. The "Immediately send to" field has a typeahead capability that displays all preconfigured destinations.

Perform these steps:

  1. If you do not already have an NFS server, configure the NFS server in accordance with the topology and needs of your system. Use NFS 4.1 or higher. Provision the NFS server for read/write access. Ingest actions imposes no other requirements on the NFS server.
  2. Mount the NFS server's exported share on your indexer's local file system.
  3. Configure the file system destination within the ingest actions UI, as described in Configure the file system destination.
  4. Use the destination in a "Route to Destination" rule.

Configure the file system destination

You configure file system destinations through the Destinations tab on the Ingest Actions page. Select File System under the New Destination button and fill out the fields, following the examples provided there.

Note: In addition to an NFS file system, you can also use the file system destination capability to point to a local file system.

You can create a maximum of eight file system destinations. As with all ingest actions destinations, when rulesets route to a destination that is invalid or does not exist, the Splunk Platform instance blocks all queues and pipelines and does not drop data.

Note: In the case of heavy forwarders managed through agent management running version 10.2 or higher, you can configure file system destinations on the agent management instance, and the configuration propagates to connected agents. For agent management instances running versions earlier than 10.2, you must configure file system destinations on each heavy forwarder individually. When using this capability, ensure the file system path is valid and accessible on each agent. For NFS destinations, verify that the NFS configuration is correct on each agent.

File system destinations are not available for use with ingest actions on the Splunk Cloud Platform.

The partitioning capability is similar to that for S3, except that the only partitioning schema available is YYYY/MM/DD. For information on partitioning, see the S3 section Partition events, ignoring the material that is obviously relevant only to S3. In particular, as noted in that section, for details on partitioning and the relationship to the resulting path, see the partitionBy setting in outputs.conf

The outputs.conf file also includes a few advanced settings specific to file system destinations. Look for the settings prepended with fs..

Configure file system destinations using agent management

If you are using agent management to manage heavy forwarders, you can configure file system destinations on the agent management instance. The configuration then propagates to connected agents. This capability requires an agent management instance running version 10.2 or higher. There are no version restrictions for agents, as long as the agent is compatible with the agent management instance.

Note the following:

  • Configure all destinations from agent management to avoid inconsistency. If you configure some destinations on the agent management instance and others directly on individual agents, the configuration might not work as expected.
  • This feature is enabled by default. To disable it, set the enableS3ConfigOnDs flag to false in limits.conf on the agent management instance. No configuration is required on agents to use this feature.
  • When using file system destinations with agent management, ensure the destination path is valid and accessible on each agent.
  • For NFS destinations, verify that the NFS mount and configuration are correct on each agent.