Getting Data In

Selective forwarding and overrride destination sourcertype and index

adityapavan18
Contributor

I have a setup where syslog feed is received by a heavy forwarder on udp port. Syslog feed on that particular udp port has sourcetype=syslog_feed and index=syslog_index . And from there i have to route the syslog feed to Actual Indexers.

Now what configuration changes i have to make to forward the data with sourcetype=sl_feed and destination index=sl_index .

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Hi there,

If you use a Heavy forwarder, you should set the correct sourcetype and index there straight away, since a Heavy forwarder will perform the input and parsing phases. Therefore you should edit the inputs.conf on the Heavy forwarder to the values you want, i.e. sl_feed and sl_index.

For more information on what configuration goes where, see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Configurationparametersandthedatapipeline or
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...