forwarding from index_a to index_b

shahchintant · ‎05-17-2018

If events are coming in from heavy forwarder 1 to heavy forwarder 2, is is possible to change the index name on HF B in inputs.conf ?

for example:
I have source- A sending application-x logs to HF1, those application-x logs are coming in syslog format on port-123 udp,

source-A -------->port xyz/tcp on HF1 (inputs.conf configured to map that port to index_A)-------------->coming on port xyz/tcp to HF2 (define events to go to index_B in inputs.conf for port 321/udp?) ------> indexers (stores logs in index_B).

I want to take those logs and map it to index_B instead of index_A, is it possible???

changing from HF1 is not possible as no control on it.

additional question:

Source is same, 3 event types are coming on 3 indexes:
Source A (index_A1,index_A2,index_A3) on port xyz

Can we change those indexes to:
Source A (index_B1,index_B2,index_B3) on port xyz on HFs?

FrankVl · ‎05-18-2018

Assuming HF1 is forwarding cooked data to a splunktcp input on HF2, I don't think the regular metadata overriding concepts work. I'm not aware of a way to override metadata fields like the index in cooked data.

Perhaps there is a way to read things from the index A and then write it to index B (and then setting index A to a very low retention time), but that means indexing things twice, which gets rather expensive if this is a significant volume of data.

shahchintant · ‎05-18-2018

yes thank you . It is cooked data. probably cant change index on the fly.

HiroshiSatoh · ‎05-17-2018

Will not this thread be helpful?

https://answers.splunk.com/answers/52198/change-sourcetype-index-after-data-is-indexed-from-forwarde...

FrankVl · ‎05-18-2018

No, because that has a universal forwarder as the first forwarder.

shahchintant · ‎05-18-2018

yep its not UF its a HF

forwarding from index_a to index_b

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!