Getting Data In

Forwarding specific data?

Robbie1194
Communicator

Hi Guys,

My question is, is it possible to only forward specific data to my Splunk environment?

So my situation is:

I have a distributed production environment and 2 separate development servers with standalone instances of Splunk. I want to forward the linux logs from my DEV servers to my production environment, is this possible without forwarding other data we index in this development environment? We put data into these dev servers before we put it into production so we don't want all of the data we have going into dev forwarding to production, we only want the linux server logs!

I thought about installing a separate UF on the dev boxes and getting that to do the job but the management port 8089 is already in use from the main splunk instance and it's a bit of a hassle setting stuff up for a new management port etc.

Cheers!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Robbie1194,
if you want to forwarde all Linux logs, you could configure the Universal Forwarders on Linux Servers to send logs to both DEV and Production servers.
If instead you want to send logs from DEV Splunk Server to Production servers, see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Filter and route event data to target groups"
Remeber that you'are indexing twice your logs!

Maybe (I don't know if it's compatible with your security policies), you could send Linux logs only to Production Systems and, configuring you DEV Splunk as Search Head, search Linux logs on production systems.

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi Robbie1194,
if you want to forwarde all Linux logs, you could configure the Universal Forwarders on Linux Servers to send logs to both DEV and Production servers.
If instead you want to send logs from DEV Splunk Server to Production servers, see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Filter and route event data to target groups"
Remeber that you'are indexing twice your logs!

Maybe (I don't know if it's compatible with your security policies), you could send Linux logs only to Production Systems and, configuring you DEV Splunk as Search Head, search Linux logs on production systems.

Bye.
Giuseppe

Robbie1194
Communicator

Not got this working yet but I'm on the right tracks now thanks to this. Cheers!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...