Can we send data to nullqueue at indexer layer. So...

SagarSplunk · ‎06-13-2017

Hi All,

We have 2 Splunk instances first instance existing one to monitor security logs and second instance (to be) is to monitor Application logs, both are separate instances.
But universal forwarders used are having inuputs.conf configured for both instances.
First instance architecture:- UF --> Indexers
Second instance architecture :- UF-->HF-->Indexers
Below are the requirement questions:-
1) Inputs for both the instances are configured in one config file at UF layer. Can we perform routing of data at UF layer to both instances so that will be indexing the data required for that particular instance.
2)If the above option is not possible. can we drop data at indexer layer for first instance so that it will index only data required for instance 1.
e.g. abc.log and efg.log both the logs are on same UF (server123). abc.log should get forwarded to instance 1 and efg.log should get forwarded to insatnce2

woodcock · ‎06-16-2017

Yes, you can drop it at the indexers and it will not consume license.

adonio · ‎06-14-2017

hello there:
many answers in this portal, some examples:
https://answers.splunk.com/answers/92257/can-single-forwarder-forward-data-to-two-different-indexers...
https://answers.splunk.com/answers/218274/can-you-send-different-logs-to-different-indexers.html
regarding heavy forwarder, read docs here:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Forwarding/Routeandfilterdatad
outputs.conf on docs here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Configureforwarderswithoutputs.co...
hope it helps

Can we send data to nullqueue at indexer layer. So that it will consume license.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability