Create an NFS file system destination
To write events to an NFS file system destination, select a preconfigured file system destination when you configure the "Route to Destination" rule. The "Immediately send to" field has a typeahead capability that displays all preconfigured destinations.
- If you do not already have an NFS server, configure the NFS server in accordance with the topology and needs of your system. Use NFS 4.1 or higher. Provision the NFS server for read/write access. Ingest actions imposes no other requirements on the NFS server.
- Mount the NFS server's exported share on your indexer's local file system.
- Configure the file system destination within the ingest actions UI, as described in Configure the file system destination.
- Use the destination in a "Route to Destination" rule.
Configure the file system destination
You configure file system destinations through the Destinations tab on the Ingest Actions page. Select File System under the New Destination button and fill out the fields, following the examples provided there.
You can create a maximum of eight file system destinations. As with all ingest actions destinations, when rulesets route to a destination that is invalid or does not exist, the Splunk Platform instance blocks all queues and pipelines and does not drop data.
File system destinations are not available for use with ingest actions on the Splunk Cloud Platform.
The partitioning capability is similar to that for S3, except that the only partitioning schema available is YYYY/MM/DD. For information on partitioning, see the S3 section Partition events, ignoring the material that is obviously relevant only to S3. In particular, as noted in that section, for details on partitioning and the relationship to the resulting path, see the partitionBy setting in outputs.conf
The outputs.conf file also includes a few advanced settings specific to file system destinations. Look for the settings prepended with fs..