Hi everyone,
I'm looking for a solution to forward some events to another Splunk Server. I need to forward specific events only (eg. events with httpCode=500). I saw in the documentation that I can deploy a universal forwarder and then configure filters by editing props.conf. From what I understood, forwarders are set up on each server where we need to capture data. I would like to avoid this and have a centralized solution.
I'm wondering if it's the only way to do it. Is it possible to set a search in Splunk web UI and then send the events to a particular server?
My concern is to be able to filter events from a centralized server.
Thanks for your help
... View more