topic Re: Forwarding events to 2 indexer clusters but transform one copy in Splunk Enterprise

Forwarding events to 2 indexer clusters but transform one copy

klim — Wed, 04 Dec 2024 21:05:17 GMT

I have a heavy forwarder that sends the same event to two different indexer cluster. Now this event has a new field "X" that I only want to see in one of the indexer clusters.

I know in the props.conf I can configure the sourcetype to do the removal of the field but that would be on the sourcetype level. Is there any way to remove it on one copy and not the other?

Alternatively I could do the props.conf change on the indexer level instead.

Re: Forwarding events to 2 indexer clusters but transform one copy

isoutamo — Wed, 04 Dec 2024 22:46:58 GMT

Hi
you told here what is your solution to your issue, but what is your issue and especially why you are sending same event to two separate clusters? That means also duplicate licenses costs.

Basically you could do this by replicating sourcetype and then removed this field from replicated sourcetype. But maybe there is better solution when we understand your real issue?
r.Ismo

Re: Forwarding events to 2 indexer clusters but transform one copy

PickleRick — Thu, 05 Dec 2024 10:18:02 GMT

What business problem are you trying to solve? There has been lately an "outbreak" of ideas in line of "I want to send my events to two destinations but not as a precise copy".

Sending the same events to two different indexer( cluster)?s induces extra license consumption but also blocks one output when the other one is blocked so it makes your environment sensitive to any problems.

So back to the original question - what problem are you trying to solve?