I have one splunk indexer that receives data from a variety of hosts. I want to also forward the data coming in from about 3-4 of these hosts to a second Splunk indexer, while also indexing the data on the first indexer. All the hosts I want to forward happen to be coming in through syslog, but that might not always be true.
This is what I have on the first indexer:
In props.conf:
[host::host1.xxxxxxx.xxx]
TRANSFORMS-routing=InfoSecRouting
[host::host2.xxxxxxx.xxx]
TRANSFORMS-routing=InfoSecRouting
[host::host3.xxxxxxx.xxx]
TRANSFORMS-routing=InfoSecRouting
[host::host4.xxxxxxx.xxx]
TRANSFORMS-routing=InfoSecRouting
[host::host5.xxxxxxx.xxx]
TRANSFORMS-routing=InfoSecRouting
In transforms.conf:
[InfoSecRouting]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=InfoSecGroup
In outputs.conf:
[tcpout]
defaultGroup=none
indexAndForward=true
[tcpout:InfoSecGroup]
server=10.110.70.183:9002
On the second indexer, I have the following in inputs.conf:
[default]
host = indexer2
[splunktcp://9002]
index = operations
This doesn't seem to be working. The first indexer is still indexing these hosts, but nothing is being forwarded to the second indexer. I came up with these settings based on the forwarding and routing section of the Splunk manual.
Thanks,
Brian
... View more