- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to forward filtered events from Splunk to anot...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I'm looking for a solution to forward some events to another Splunk Server. I need to forward specific events only (eg. events with httpCode=500). I saw in the documentation that I can deploy a universal forwarder and then configure filters by editing props.conf. From what I understood, forwarders are set up on each server where we need to capture data. I would like to avoid this and have a centralized solution.
I'm wondering if it's the only way to do it. Is it possible to set a search in Splunk web UI and then send the events to a particular server?
My concern is to be able to filter events from a centralized server.
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gblondeau,
you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.
hope this helps to get you started ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gblondeau,
you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.
hope this helps to get you started ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regarding the configuration: basically you could also use any other tool that is able to change files on a server, like Puppet.
Regarding the filtering: no, this is how it is done 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Mus,
Thanks for your answer. I'll take a look at the deployment server + universal forwarder.
Otherwise, is there any other solution?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
