Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Specific index forwarding to external index tier

sonicZ
Contributor
‎08-06-2012 03:11 PM

Hello,

We have a requirement that certain indexes(SSO and SSO_Summary for this example) in our index cluster send to another external offsite network's splunk forwarder/indexer environment. Can we forward just the "SSO and SSO_Summary" from our index cluster level to this other offsite splunk environment?

We have specific silos that each Splunk agent / intermediate forwarder
cannot talk to other silos intermediate forwarder tiers or end points agents. Because we have these restricted silos, we cannot forward data as easily as some of the standard Splunk examples.
(like the data cloning examples)

So an example silo has Splunk data routing as follows
Front end silo: end points(many) -> Intermediate forwarder(pair) ->
Back end silo: end points(many) -> Intermediate forwarder(pair) ->
Shared silo -> index cluster(4 indexers all Front end, back end data forwards to here)

The only examples i see is forwarding ALL index content or data routing based on events content using regular expressions, how would i just forward specific indexes?

We would have a VPN in place to do this, just checking if this is possible
We are trying to avoid forwarding from the end point agents to the external Splunk environment due to security considerations.

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sonicZ
Contributor
‎11-02-2012 04:20 PM

I didnt realize but looks like we can filter and forward from indexer to indexer now using forwardedindex whitelist blacklist http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_i...

So something like this would work

> [tcpout] defaultGroup =
> indexer_external  disabled = false
> 
> [tcpout:indexer_external]
> indexAndForward = true  disabled =
> false  server = indexer_ip:9997 
> forwardedindex.filter.disable = false 
> forwardedindex.2.whitelist = externalIndexName

View solution in original post

Reply
Solved! Jump to solution
Solution

sonicZ
Contributor
‎11-02-2012 04:20 PM

I didnt realize but looks like we can filter and forward from indexer to indexer now using forwardedindex whitelist blacklist http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_i...

So something like this would work

> [tcpout] defaultGroup =
> indexer_external  disabled = false
> 
> [tcpout:indexer_external]
> indexAndForward = true  disabled =
> false  server = indexer_ip:9997 
> forwardedindex.filter.disable = false 
> forwardedindex.2.whitelist = externalIndexName
Reply
Solved! Jump to solution

dm1
Contributor
‎08-18-2021 04:49 PM

Doesn't the forwardedindex filter only works for global [tcpout] stanza as per outputs.conf ?

How did you manage to make it work for targetgroup specific stanza ?

0 Karma
Reply
Solved! Jump to solution

sonicZ
Contributor
‎11-02-2012 04:20 PM

Splunk support confirmed this.

0 Karma
Reply
Solved! Jump to solution

sonicZ
Contributor
‎08-07-2012 10:02 AM

I didnt realize but looks like we can filter and forward from indexer to indexer now using forwardedindex whitelist blacklist
http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad#Filter_data_by_target_i...

So something like this might work?

[tcpout]
defaultGroup = indexer_external
disabled = false

[tcpout:indexer_external]
indexAndForward = true
disabled = false
server = indexer_ip:9997
forwardedindex.filter.disable = false
forwardedindex.2.whitelist = externalIndexName

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...