Can we send data to nullqueue at indexer layer. So...

SagarSplunk · ‎06-13-2017

Hi All,

We have 2 Splunk instances first instance existing one to monitor security logs and second instance (to be) is to monitor Application logs, both are separate instances.
But universal forwarders used are having inuputs.conf configured for both instances.
First instance architecture:- UF --> Indexers
Second instance architecture :- UF-->HF-->Indexers
Below are the requirement questions:-
1) Inputs for both the instances are configured in one config file at UF layer. Can we perform routing of data at UF layer to both instances so that will be indexing the data required for that particular instance.
2)If the above option is not possible. can we drop data at indexer layer for first instance so that it will index only data required for instance 1.
e.g. abc.log and efg.log both the logs are on same UF (server123). abc.log should get forwarded to instance 1 and efg.log should get forwarded to insatnce2

woodcock · ‎06-16-2017

Yes, you can drop it at the indexers and it will not consume license.

adonio · ‎06-14-2017

hello there:
many answers in this portal, some examples:
https://answers.splunk.com/answers/92257/can-single-forwarder-forward-data-to-two-different-indexers...
https://answers.splunk.com/answers/218274/can-you-send-different-logs-to-different-indexers.html
regarding heavy forwarder, read docs here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Forwarding/Routeandfilterdatad
outputs.conf on docs here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Configureforwarderswithoutputs.co...
hope it helps

Can we send data to nullqueue at indexer layer. So that it will consume license.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!