- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can we redirect an index from a heavy forwarder to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we redirect an index from a heavy forwarder to a different heavy forwarder?
Hi,
We are currently on version 6.3.3. The situation is the following:
We had a configuration of a Universal Forwarder that connected to a Heavy forwarder and that connected to an indexer. In that heavy forwarder, we did some index redirecting as the following:
transforms.conf
[Redirect1]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = redirect_test_index
props.conf
[host::TestHost]
priority = 100
TRANSFORMS-test1= Redirect1
The data from testhost was being sent by the universal forwarder that I previously mentioned. This worked fine as we indexed the information into the redirect_test_index
We wanted to do that redirecting on our universal forwarder server, not on the heavy forwarder. What we did was to migrate that universal forwarder to a heavy forwarder, and we have kept the connection like it was on the old universal forwarder (that now is a heavy forwarder). We removed the redirecting configuration from the old heavy forwarder to the new one, but it doesn't seem to work.
We have the new HF connect to the old HF, the new HF is not directly connected to an indexer. Could that be the issue?
The topology is: HF1 (old UF) -> HF2 -> Several Indexers
Thanks in advance,
Best Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any reason to not connect your new HF directly to your indexers? It seems like an odd topology to have HF --> HF --> Indexers.
Is the universal out of the picture now and you've replaced the Universal Forwarder with a Heavy Forwarder?
Will it still match on the same hostname? You're doing that filtering in props with a specific hostname so make sure that hasn't changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, I will be commenting every question you asked in the following lines:
Do you have any reason to not connect your new HF directly to your indexers? It seems like an odd topology to have HF --> HF --> Indexers.
Yes, there is a reason why we want to do this. We want to separate and filter separate things in every HF. In the first one we will redirect indexes and on the other one we will filter events. In both we are using props and transforms files to do this.
Is the universal out of the picture now and you've replaced the Universal Forwarder with a Heavy Forwarder?
Yes, the universal no longer exists. Now we have only HF.
Will it still match on the same hostname? You're doing that filtering in props with a specific hostname so make sure that hasn't changed.
Yes, the hostname is the same.
We are asking the community because we are not sure if this is even something possible. It is our desire, due to topology needs but if it is not possible we will move back to the configuration we had before.
Thanks!
Best Regards
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
