Guys, I wish to collect all events from my windows server security log and send to my main Splunk enterprise instance but also send a subset of events to my test instance. At the forwarder, how could I achieve this?
Hi @shocko,
You can use _TCP_ROUTING in inputs.conf to achieve this.
In outputs.conf, create stanzas for each receiving indexer:
[tcpout:systemGroup]
server=server1:9997
[tcpout:applicationGroup]
server=server2:9997
In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup
Reference
- Route_inputs_to_specific_indexers_based_on_the_data_input
- https://answers.splunk.com/answers/481742/how-can-we-send-data-to-2-different-groups-of-inde.html
Note: Make sure that your forwarder has connectivity to both the indexers.
Hi @shocko,
You can use _TCP_ROUTING in inputs.conf to achieve this.
In outputs.conf, create stanzas for each receiving indexer:
[tcpout:systemGroup]
server=server1:9997
[tcpout:applicationGroup]
server=server2:9997
In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = applicationGroup
Reference
- Route_inputs_to_specific_indexers_based_on_the_data_input
- https://answers.splunk.com/answers/481742/how-can-we-send-data-to-2-different-groups-of-inde.html
Note: Make sure that your forwarder has connectivity to both the indexers.
Thanks so much! That worked 🙂