topic Re: Forwarding and cloning specific index's to a third party splunk indexer in Splunk Enterprise

Forwarding and cloning specific index's to a third party splunk indexer

troyfredmsit — Wed, 02 Sep 2020 19:48:18 GMT

If a party decided to split all events into their own index's (IE. winevent_security to "security", winevernt_application to "application" etc), but then they had a third party security group that needed specific index's (in this case just the security index). How would one set it up to where that index still goes to the main splunk for the company but ONLY that log goes to the third party splunk as well. The idea is to use a heavy forwarder, but I am not sure how to specify the index. Right now I have all index's going to both but that is not a solution that everyone is comfortable with. Any help would be amazing.

Re: Forwarding and cloning specific index's to a third party splunk indexer

gjanders — Thu, 03 Sep 2020 04:17:04 GMT

props.conf:

[thesourcetype]
TRANSFORMS-route = route_to_third_party

transforms.conf:

[route_to_third_party]
SOURCE_KEY = _MetaData:Index
REGEX = ^(winevent)$
DEST_KEY=_TCP_ROUTING
FORMAT = mysplunkinstance, thirdpartyinoutputsconf

Perhaps?

Re: Forwarding and cloning specific index's to a third party splunk indexer

FritzWittwer — Thu, 03 Sep 2020 14:22:04 GMT

it can be done, see Forwarding/Route and filter data and CLONE_SOURCETYPE in Transforms.conf . But be warned, it becomes complicated and cumbersome if your rule set is large. You may look into Splunk Data Stream Processor, DSP or also a certain third party product, for a solution which scales.