Hi everyone,
I'm looking for a solution to forward some events to another Splunk Server. I need to forward specific events only (eg. events with httpCode=500). I saw in the documentation that I can deploy a universal forwarder and then configure filters by editing props.conf. From what I understood, forwarders are set up on each server where we need to capture data. I would like to avoid this and have a centralized solution.
I'm wondering if it's the only way to do it. Is it possible to set a search in Splunk web UI and then send the events to a particular server?
My concern is to be able to filter events from a centralized server.
Thanks for your help
Hi gblondeau,
you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.
hope this helps to get you started ...
cheers, MuS
Hi gblondeau,
you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.
hope this helps to get you started ...
cheers, MuS
Regarding the configuration: basically you could also use any other tool that is able to change files on a server, like Puppet.
Regarding the filtering: no, this is how it is done 🙂
Hey Mus,
Thanks for your answer. I'll take a look at the deployment server + universal forwarder.
Otherwise, is there any other solution?