I am planning to send the logs to multiple Splunk indexers (location) based on the logs type from one universal forwarder
example
server-1 myapp1.log -> indexer-South
myapp2.log -> indexer-south
myapp3.log -> indexer-east
myapp4.log - > indexer-east
server-2 myapp1.log -> indexer-South
myapp2.log -> indexer-south
myapp3.log -> indexer-east
myapp4.log - > indexer-east
can this be done? I would like some feedback how to do that.
thanks
Hi,
yes you can do this.
You need to create two output.conf stanzas
[tcpout:south]
server=server_south:9997
[tcpout:east]
server=server_east:9997
Then you need to do a TCP_routing in inputs.conf
[monitor://path/myapp1.log]
_TCP_ROUTING = south
[monitor://path/myapp3.log]
_TCP_ROUTING = east
Hope this helps. You have to create a input stanza for each log in this example. But can also do the matching via Regex to reduce the amount of input stanzas.
kind regards
Hi,
yes you can do this.
You need to create two output.conf stanzas
[tcpout:south]
server=server_south:9997
[tcpout:east]
server=server_east:9997
Then you need to do a TCP_routing in inputs.conf
[monitor://path/myapp1.log]
_TCP_ROUTING = south
[monitor://path/myapp3.log]
_TCP_ROUTING = east
Hope this helps. You have to create a input stanza for each log in this example. But can also do the matching via Regex to reduce the amount of input stanzas.
kind regards
perfect,thanks much TStrauch