Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we redirect an index from a heavy forwarder to a different heavy forwarder?

dsmc_adv
Path Finder
‎06-06-2016 04:01 AM

Hi,

We are currently on version 6.3.3. The situation is the following:

We had a configuration of a Universal Forwarder that connected to a Heavy forwarder and that connected to an indexer. In that heavy forwarder, we did some index redirecting as the following:

transforms.conf

[Redirect1]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = redirect_test_index

props.conf

[host::TestHost]
priority = 100
TRANSFORMS-test1= Redirect1

The data from testhost was being sent by the universal forwarder that I previously mentioned. This worked fine as we indexed the information into the redirect_test_index

We wanted to do that redirecting on our universal forwarder server, not on the heavy forwarder. What we did was to migrate that universal forwarder to a heavy forwarder, and we have kept the connection like it was on the old universal forwarder (that now is a heavy forwarder). We removed the redirecting configuration from the old heavy forwarder to the new one, but it doesn't seem to work.

We have the new HF connect to the old HF, the new HF is not directly connected to an indexer. Could that be the issue?
The topology is: HF1 (old UF) -> HF2 -> Several Indexers

Thanks in advance,
Best Regards

0 Karma
Reply

ryanoconnor
Builder
‎06-06-2016 06:00 AM

Do you have any reason to not connect your new HF directly to your indexers? It seems like an odd topology to have HF --> HF --> Indexers.

Is the universal out of the picture now and you've replaced the Universal Forwarder with a Heavy Forwarder?

Will it still match on the same hostname? You're doing that filtering in props with a specific hostname so make sure that hasn't changed.

Reply

dsmc_adv
Path Finder
‎06-06-2016 11:47 PM

Thanks for the response, I will be commenting every question you asked in the following lines:

Do you have any reason to not connect your new HF directly to your indexers? It seems like an odd topology to have HF --> HF --> Indexers.

Yes, there is a reason why we want to do this. We want to separate and filter separate things in every HF. In the first one we will redirect indexes and on the other one we will filter events. In both we are using props and transforms files to do this.

Is the universal out of the picture now and you've replaced the Universal Forwarder with a Heavy Forwarder?
Yes, the universal no longer exists. Now we have only HF.

Will it still match on the same hostname? You're doing that filtering in props with a specific hostname so make sure that hasn't changed.
Yes, the hostname is the same.

We are asking the community because we are not sure if this is even something possible. It is our desire, due to topology needs but if it is not possible we will move back to the configuration we had before.

Thanks!
Best Regards

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...