All Apps and Add-ons

How to edit outputs.conf for the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder to route logs to new indexers?

Splunk_rocks
Path Finder

We have a Splunk setup to get the ASA Check Point logs collected to heavy forwarder and send to an indexer server through the Splunk® Add-on for Check Point OPSEC LEA. That add-on was configured and installed on the Heavy forwarder.

When I checked the input files, I see the following script was added in inputs.conf file
information /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint

Now we are in the process building new indexer servers and I'm trying to find the way to change the outputs.conf and redirect the logs to the new indexers.

Here is the current data flow.

Checkpoint ---- HF -- old indexer
My new settings will be
Check point - HF - new indexer servers --

If any one knows how to update the outputs Splunk Add-on for Check Point OPSEC LEA, please let me know.

0 Karma
1 Solution

Splunk_rocks
Path Finder

some times we miss the basic things 🙂

I have found the way it is simple and it worked .

Thanks for your help

adding below stanza to inputs.conf

_TCP_ROUTING = indexset

View solution in original post

0 Karma

Splunk_rocks
Path Finder

some times we miss the basic things 🙂

I have found the way it is simple and it worked .

Thanks for your help

adding below stanza to inputs.conf

_TCP_ROUTING = indexset

0 Karma

Splunk_rocks
Path Finder

Here is my inputs.conf in

Here is the inputs.conf file in my heavy forwarder
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint_XX
_rcvbuf = 1572864
disabled = false
host = XX
index = firewall
interval = 10
passAuth = splunk-system-user
sourcetype = sec

0 Karma

Splunk_rocks
Path Finder

I'm just trying to find way to redirect new data to new indexer server.
I don't need to reindex the old data.

0 Karma

Splunk_rocks
Path Finder

But my case I want completely redirect from old to new indexers.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

Do you want to move data previously indexed on old indexers to new indexers? Do you want to use both old indexers and new?

I am not familiar with redirecting from indexers to indexers, if anything - use existing forwarders and edit outputs.conf to forward to new indexers, which is what the link covers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...