I have two Splunk search heads and indexers. Currently, all of the data sourcetypes get indexed on primary Splunk instance, I'm looking to split this and index specific sourcetypes on a second Splunk instance.
I'm currently trying to take a data feed with the sourcetype of "people" and use outputs.conf, props.conf, and transforms.conf to do so but am not able to get it to work. Here is my current configuration in /opt/splunk/etc/system/local:
[outputs.conf]
[tcpout]
indexAndForward=0
[tcpout:s2]
server = x.x.x.x:9997
compressed = false
sendCookedData = false
[transforms.conf]
[forward_cdr_to_s2]
SOURCE_KEY = MetaData:Sourcetype
REGEX = people
DEST_KEY = _TCP_ROUTING
FORMAT = s2
[props.conf]
TRANSFORMS-routing = forward_cdr_to_s2
I was hoping this would take the "people" sourcetype as specified in the regex expression and source_key and route it to the Splunk server specified in [tcpout:s2] with the same index/sourcetype in the secondary Splunk instance. Any thoughts? Thanks in advance!
... View more