Getting Data In

Forwarding specific data?

Robbie1194
Communicator

Hi Guys,

My question is, is it possible to only forward specific data to my Splunk environment?

So my situation is:

I have a distributed production environment and 2 separate development servers with standalone instances of Splunk. I want to forward the linux logs from my DEV servers to my production environment, is this possible without forwarding other data we index in this development environment? We put data into these dev servers before we put it into production so we don't want all of the data we have going into dev forwarding to production, we only want the linux server logs!

I thought about installing a separate UF on the dev boxes and getting that to do the job but the management port 8089 is already in use from the main splunk instance and it's a bit of a hassle setting stuff up for a new management port etc.

Cheers!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Robbie1194,
if you want to forwarde all Linux logs, you could configure the Universal Forwarders on Linux Servers to send logs to both DEV and Production servers.
If instead you want to send logs from DEV Splunk Server to Production servers, see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Filter and route event data to target groups"
Remeber that you'are indexing twice your logs!

Maybe (I don't know if it's compatible with your security policies), you could send Linux logs only to Production Systems and, configuring you DEV Splunk as Search Head, search Linux logs on production systems.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi Robbie1194,
if you want to forwarde all Linux logs, you could configure the Universal Forwarders on Linux Servers to send logs to both DEV and Production servers.
If instead you want to send logs from DEV Splunk Server to Production servers, see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Filter and route event data to target groups"
Remeber that you'are indexing twice your logs!

Maybe (I don't know if it's compatible with your security policies), you could send Linux logs only to Production Systems and, configuring you DEV Splunk as Search Head, search Linux logs on production systems.

Bye.
Giuseppe

Robbie1194
Communicator

Not got this working yet but I'm on the right tracks now thanks to this. Cheers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...