Universal forwarder: how to forward different logs...

arkadyz1 · ‎05-22-2015

I have two different Splunk applications on two different search heads. Right now those search heads are also indexers, but this might change in the future.

Anyway: I defined two groups in etc/system/local/outputs.conf, and referred to one or another using _TCP_ROUTING in each monitor stanza in etc/system/local/inputs.conf. I also removed default stanza from outputs.conf, so that there are no default groups. Is this setup good enough for the purpose?

woodcock · ‎05-23-2015

Another way you could do it is to stand up 2 different instances of Splunk, but I would only use this approach if at least one of your input types is compressed (e.g. *.gz, *zip, etc.) because the AQ is single-threaded and could use the help anyway.

acharlieh · ‎05-22-2015

Offhand (quickly not looking at the docs) that sounds right. Are you seeing problems with it?

Edit: wait actually you may want to set the default routing to a dummy group if you don't want events to go anywhere by default.

arkadyz1 · ‎05-22-2015

I haven't seen any problems yet, but wanted to double check if I'm not missing something. Thanks for this 'dummy group' remark - I'll take a look into it.

Universal forwarder: how to forward different logs to different indexers?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases