Forward Data to Independent Indexer

jwelters · ‎05-07-2013

I'm trying to determine how to send my data as it's being indexed to a a secondary indexer. That in itself is easy, the catch is currently I have many indexes and the indexer I'm required to send the data to has one.

So I need to forward indexed data to a single index on a remote indexer. I have no ability to configure the remote indexer.

Does anyone have any suggestions that may help in accomplishing this ?

alacercogitatus · ‎05-07-2013

There are ways to index and forward data, but I believe that the built in method sends index specific data, so you would have to have a duplicate config. If you aren't worried about license, you can send all the indexed data as syslog to the remote indexer, and have it re-index there on the single index.

[syslog] defaultGroup = <target_group>, <target_group>, ... [syslog:<target_group>] server = [<ip>|<servername>]:<port>

jwelters · ‎05-07-2013

You are correct, except for how do I configure it so when I send it I'm able to send data from multiple indexes to one. I only have one index as the destination however I have multiple on my system. So far syslog seems to be the only approach I can find that might work,however the lack of encryption is concerning.

alacercogitatus · ‎05-07-2013

The you'll want to follow this: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd#TCP_data . You can send it TCP (uncooked) and have the remote accept it as a normal tcp input.

jwelters · ‎05-07-2013

I thought of sending it as syslog, however the encryption of forwarding it as Splunk data is desired. I don't care about the remote indexers licensing whatsoever. The challenge as you mention is sending data from 30+ indexes to one index. Syslog might be the only option for us.

Forward Data to Independent Indexer

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!