Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Two Indexers - Blacklist Data to Specific Indexer

DBattisto
Communicator
‎02-18-2019 05:48 AM

Good morning all-

I'm working on a design in my lab where we have two indexers. I have data for one of the indexes 'networkvideo' that I want to only go to one of the indexers, while all of the other data gets sent to both. I'm having trouble getting my outputs.conf file to work properly. I read that 'forwardedindex' statements will work only in the global 'tcpout' stanza. How can I modify this to apply to only one of the indexers?

I appreciate any and all assistance. Below is a version of my work that I know is incorrect, but has all of the important pieces within:

[tcpout]
defaultGroup = indexer1,indexer2

#overwrite the defaults:
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
#new blacklist:
forwardedindex.0.blacklist=networkvideo

[tcpout:indexer1]
server = xx.xx.xx.1

[tcpout:indexer2]
server = xx.xx.xxx.2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 12:06 PM

Hi @DBattisto

I am pretty sure you can't use the blacklist to do this. You should instead setup two tcpout groups and then use props.conf and transforms.conf to route your data as described here:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Configure_routing

Hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 12:06 PM

Hi @DBattisto

I am pretty sure you can't use the blacklist to do this. You should instead setup two tcpout groups and then use props.conf and transforms.conf to route your data as described here:

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Configure_routing

Hope this helps

0 Karma
Reply
Solved! Jump to solution

DBattisto
Communicator
‎02-19-2019 04:30 AM

Thanks Chris, I think I can make it work. I'm going to set up a second indexer on my lab later today and work it out. I think this would work:

$/etc/system/local/props.conf:
#
# directs any 'networkvideo' data to indexer2
[networkvideo]
TRANSFORMS-routing=networkvideorouting

$/etc/system/local/transforms.conf:
#
# How to route the data:
[networkvideorouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = Indexer2

where 'FORMAT' in the transforms.conf stanza links to the 'Indexer2' stanza in my outputs.conf file.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...