Solved: How to configure a Heavy Forwarder to override any...

kylerose · ‎07-14-2015

We would like to override ANY index name coming from Universal Forwarders. We would like to do this at our Heavy Forwarders. Here is the config we are using on our HFs that is not working:

inputs.conf

[splunktcp-ssl:9997]
disabled = 0
index = *new_index_name*
_TCP_ROUTING = autolb-group

[SSL]
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
password = *password*

outputs.conf

[indexAndForward]
index = false
selectiveIndexing = false

[tcpout]
defaultGroup = autolb-group

[tcpout:autolb-group]
disabled = false
server = *forwarders*
sslCertPath = /opt/splunk/etc/auth/server.pem
sslPassword = *password*
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK = false

props.conf

[myindex]
TRANSFORMS-index=overrideindex

transforms.conf

[overrideindex]
REGEX = (.*)
FORMAT = *new_index_name*
SOURCE_KEY=_MetaData:Index
DEST_KEY = _MetaData:Index

kylerose · ‎07-14-2015

The issue was in props.conf

[myindex] needed to be set to [host::*]

View solution in original post

kylerose · ‎07-14-2015

The issue was in props.conf

[myindex] needed to be set to [host::*]

How to configure a Heavy Forwarder to override any index name coming from Universal Forwarders?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases