need to limit what servers are sending logs to an ...

ralphw_SAIC · ‎07-02-2018

We have multiple window SUFs sending logs to a HF that then divide the winevent:security logs between two indexers. One indexer needs to receive logs from all servers, the second indexer needs to receive logs from only particular servers.

Any idea on how i can go about setting this up? I have a custom transform and props configs that will split the event ids between the two indexers, but i need to limit which servers go to the second indexer as well.

solarboyz1 · ‎07-02-2018

On the heavy forwarder:

Create and output group:
outputs.conf:

[tcpout:hostGroup]
server=10.20.30.40:9999
Configure a props entry for the sourcetype in question:

[sourcetype_to_split]
TRANSFORMS-index = hostRedirect
Create the output routing transforms.conf:

[hostRedirect]
SOURCE_KEY = host
REGEX = (host1|host2|host3|host4)
IndexDEST_KEY=_TCP_ROUTING
FORMAT=hostGroup

ralphw_SAIC · ‎07-03-2018

This looks to break things.

Simplifying my setup a bit, IDX-1 receives limited eventIDs for all hosts, IDX-2 receives all eventIDs for a subset of hosts.

need to limit what servers are sending logs to an indexer

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?