Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Selective forwarding and overrride destination sourcertype and index

adityapavan18
Contributor
‎08-05-2012 12:49 AM

I have a setup where syslog feed is received by a heavy forwarder on udp port. Syslog feed on that particular udp port has sourcetype=syslog_feed and index=syslog_index . And from there i have to route the syslog feed to Actual Indexers.

Now what configuration changes i have to make to forward the data with sourcetype=sl_feed and destination index=sl_index .

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-13-2012 03:49 AM

Hi there,

If you use a Heavy forwarder, you should set the correct sourcetype and index there straight away, since a Heavy forwarder will perform the input and parsing phases. Therefore you should edit the inputs.conf on the Heavy forwarder to the values you want, i.e. sl_feed and sl_index.

For more information on what configuration goes where, see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Configurationparametersandthedatapipeline or
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...