Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you configure a Universal Forwarder output to send to two separate Heavy Forwarders?

Log_wrangler
Builder
‎11-09-2018 08:03 AM

I need to send two copies of events to two different HFs (not load-balanced).

I want to use a UF on a server to send events to a HF which will send cooked to the indexers, and I want the UF to send the same events to a different HF that will send raw (uncooked) events to a 3rd party.

Can the UF handle sending the data twice?

Thank you

Reply
1 Solution
Solved! Jump to solution
Solution

markusspitzli
Communicator
‎02-22-2019 12:32 AM

Hey.

This documentation will help you: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Basically you have to configure two different destinations in outputs.conf:

[tcpout]
defaultGroup=myroute

[tcpout:myroute]
disabled=false
server=10.1.12.1:9997

[tcpout:anotherroute]
disabled=false
server=10.1.12.2:9997

Then you have to configure the props.conf for which sourcetype, host, or source you want to clone the data. 

[mysourcetype]
TRANSFORMS-routing = routing

[host::myhost]
TRANSFORMS-routing = routing

[source::/var/log/messages]
TRANSFORMS-routing = routing

Of course you have to configure the transforms.conf

[routing]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=myroute,anotherroute

that should do the job

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

markusspitzli
Communicator
‎02-22-2019 12:32 AM

Hey.

This documentation will help you: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Basically you have to configure two different destinations in outputs.conf:

[tcpout]
defaultGroup=myroute

[tcpout:myroute]
disabled=false
server=10.1.12.1:9997

[tcpout:anotherroute]
disabled=false
server=10.1.12.2:9997

Then you have to configure the props.conf for which sourcetype, host, or source you want to clone the data. 

[mysourcetype]
TRANSFORMS-routing = routing

[host::myhost]
TRANSFORMS-routing = routing

[source::/var/log/messages]
TRANSFORMS-routing = routing

Of course you have to configure the transforms.conf

[routing]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=myroute,anotherroute

that should do the job

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...