https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44618#M22132 <P>Hi,</P> <P>The big problem seems to be that you, by default in <CODE>outputs.conf</CODE>, send all events to <CODE>a-output</CODE>, and then have a special configuration for your FW-data in <CODE>transforms.conf</CODE> to send it to the same place (<CODE>a-output</CODE>). </P> <P>Also, the destination seems to be the host where data originated (192.168.1.5), which seems a bit odd.</P> <HR /> <P>UPDATE:</P> <P>add an extra (group of) indexer(s) in the <CODE>outputs.conf</CODE> that specifies a separate indexer. There is no need to set autoLB=true, since that is a default value.</P> <PRE><CODE>[tcpout] defaultGroup = a-output indexAndForward = 1 [tcpout:a-output] server=your_ordinary_indexer:port [tcpout:fw-group] server=your_firewall_indexer:port </CODE></PRE> <P>Then you use the transform for the firewall data to use <CODE>fw-group</CODE> instead of <CODE>a-output</CODE>.</P> <P>Hope this helps,</P> <P>Kristian</P> Sun, 06 May 2012 10:46:11 GMT kristian_kolb 2012-05-06T10:46:11Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44617#M22131 <P>hi</P><P><BR /> I have a three host in indexer.</P><P></P> <P>I'm only one host, send another splunk-server.</P><P></P> <P>but, all host send another splunk-server.</P><P></P> <P>where is bug?</P><P></P> <P>thanks</P><P></P> <P>-- inputs.conf --</P> <PRE><CODE>[udp://514] connection_host = ip index = main sourcetype = test_syslog disabled = 0 </CODE></PRE> <P>-- props.conf --</P> <PRE><CODE>[host::192.168.1.5] TRANSFORMS-data1 = change-index1, change-source1, fw-forward [host::192.168.1.4] TRANSFORMS-data2 = change-index2, change-source2 [host::192.168.1.3] TRANSFORMS-data3 = change-index3, change-source3 </CODE></PRE> <P>-- transforms.conf --</P> <PRE><CODE>[change-index1] DEST_KEY = _MetaData:Index REGEX=. FORMAT = IDX_1 [change-source1] DEST_KEY = MetaData:Source REGEX=. FORMAT = source::firewall-1 [fw-forward] REGEX=. DEST_KEY = _TCP_ROUTING FORMAT = a-output </CODE></PRE> <P>-- outputs.conf --</P> <PRE><CODE>[tcpout] defaultGroup = a-output indexAndForward = 1 [tcpout:a-output] autoLB=true server=192.168.1.5:9004 </CODE></PRE> <HR /> Sun, 06 May 2012 09:01:15 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44617#M22131 khyoung7410 2012-05-06T09:01:15Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44618#M22132 <P>Hi,</P> <P>The big problem seems to be that you, by default in <CODE>outputs.conf</CODE>, send all events to <CODE>a-output</CODE>, and then have a special configuration for your FW-data in <CODE>transforms.conf</CODE> to send it to the same place (<CODE>a-output</CODE>). </P> <P>Also, the destination seems to be the host where data originated (192.168.1.5), which seems a bit odd.</P> <HR /> <P>UPDATE:</P> <P>add an extra (group of) indexer(s) in the <CODE>outputs.conf</CODE> that specifies a separate indexer. There is no need to set autoLB=true, since that is a default value.</P> <PRE><CODE>[tcpout] defaultGroup = a-output indexAndForward = 1 [tcpout:a-output] server=your_ordinary_indexer:port [tcpout:fw-group] server=your_firewall_indexer:port </CODE></PRE> <P>Then you use the transform for the firewall data to use <CODE>fw-group</CODE> instead of <CODE>a-output</CODE>.</P> <P>Hope this helps,</P> <P>Kristian</P> Sun, 06 May 2012 10:46:11 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44618#M22132 kristian_kolb 2012-05-06T10:46:11Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44619#M22133 <P>Do you know how?</P> Sun, 06 May 2012 11:04:30 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44619#M22133 khyoung7410 2012-05-06T11:04:30Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44620#M22134 <P>see update above. /k</P> Sun, 06 May 2012 13:14:31 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44620#M22134 kristian_kolb 2012-05-06T13:14:31Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44621#M22135 <P>Thanks you for answer my question.</P> Sun, 06 May 2012 14:01:12 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44621#M22135 khyoung7410 2012-05-06T14:01:12Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44622#M22136 <P>Please mark it as answered and/or upvote if this solved your problem. Thanks. /k</P> Sun, 06 May 2012 14:32:23 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44622#M22136 kristian_kolb 2012-05-06T14:32:23Z https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44623#M22137 <P>kristian. <BR /> The problem was solved.<BR /> thank you.</P> Mon, 07 May 2012 03:43:11 GMT https://community.splunk.com/t5/Deployment-Architecture/several-host-subset-send-other-splunk-server/m-p/44623#M22137 khyoung7410 2012-05-07T03:43:11Z