Hello everyone : )
I have a splunk instance with an alert manager app that is producing logs that are being indexed on the same machine as index=alerts.
I would like to forward this data to another splunk instance, without use an universal forwarder, but only changing the outputs.conf file in splunk.
Using this system, I m forwarding ALL the logs are contains in my splunk istance to the other one, but I would like to send only index=alerts.
How can I change the inputs/outputs.conf to allow this?
Thanks,
Federica
Look at this link:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Forward_data_for_a_...
Outputs.conf: in “$splunkhome$/etc/system/local/outputs.conf
Something like what is below:
[tcpout]
defaultGroup = local
indexAndForward=true
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = alerts
[tcpout:whatever] -- Whatever it is set to now should work if it is already forwarding everything.