<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Heavy Forwader data route between multiple indexer in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308544#M58097</link>
    <description>&lt;P&gt;Finally, I found the problem. I made a typo in the transforms.conf file name. btool helps me to find the error.&lt;/P&gt;</description>
    <pubDate>Mon, 20 Feb 2017 15:06:41 GMT</pubDate>
    <dc:creator>ikulcsar</dc:creator>
    <dc:date>2017-02-20T15:06:41Z</dc:date>
    <item>
      <title>Heavy Forwader data route between multiple indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308541#M58094</link>
      <description>&lt;P&gt;Hi!&lt;/P&gt;

&lt;P&gt;I know there are several questions in this topic, but I didn't find a solution for me.&lt;BR /&gt;
I try to create a simple lab splunk system with 1 HF and 2 indexers (ix1, ix2). HF has 2 input udp://1514 and udp://1515.&lt;/P&gt;

&lt;P&gt;I tried to forward udp://1514 to ix1 and udp://1515 to ix2 with no luck. Somehow both indexers receives both logs:(&lt;/P&gt;

&lt;P&gt;inputs.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[udp://1514]
connection_host = ip
sourcetype = syslog

[udp://1515]
connection_host = ip
sourcetype = syslog
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;props.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[source::udp://1514]
TRANSFORMS-ix1 = send_to_ix1

[source::udp://1515]
TRANSFORMS-ix2 = send_to_ix2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;transform.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[send_to_ix1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer_1

[send_to_ix2]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer_2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;output.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[tcpout:indexer_1]
server = 192.168.10.220:9997

[tcpout:indexer_2]
server = 192.168.10.221:9997
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;What am I doing wrong, please help me.&lt;BR /&gt;
The final goal is to filter the logs received by indexers and send everything to a 3rd party log collector.&lt;/P&gt;

&lt;P&gt;Thank your for your time,&lt;BR /&gt;
Steven&lt;/P&gt;</description>
      <pubDate>Sat, 18 Feb 2017 13:56:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308541#M58094</guid>
      <dc:creator>ikulcsar</dc:creator>
      <dc:date>2017-02-18T13:56:19Z</dc:date>
    </item>
    <item>
      <title>Re: Heavy Forwader data route between multiple indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308542#M58095</link>
      <description>&lt;P&gt;You don't need transforms to route data to specific indexer group. All you need to do is specify _TCP_ROUTING in your inputs like below&lt;/P&gt;

&lt;P&gt;[udp://1514]&lt;BR /&gt;
 connection_host = ip&lt;BR /&gt;
 sourcetype = syslog&lt;BR /&gt;
_TCP_ROUTING = indexer_1&lt;/P&gt;

&lt;P&gt;[udp://1515]&lt;BR /&gt;
 connection_host = ip&lt;BR /&gt;
 sourcetype = syslog&lt;BR /&gt;
_TCP_ROUTING = indexer_2&lt;/P&gt;

&lt;P&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 12:55:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308542#M58095</guid>
      <dc:creator>pradeepkumarg</dc:creator>
      <dc:date>2020-09-29T12:55:41Z</dc:date>
    </item>
    <item>
      <title>Re: Heavy Forwader data route between multiple indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308543#M58096</link>
      <description>&lt;P&gt;Thank you, it looks good.&lt;/P&gt;

&lt;P&gt;But in the near future, I'll have to use REGEX for log filtering. Maybe can you explain why my solution isn't working? &lt;BR /&gt;
Here is two page, I tried to solve the porblem based on these links?&lt;BR /&gt;
&lt;A href="https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data"&gt;https://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data&lt;/A&gt;&lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd"&gt;http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Regards,&lt;BR /&gt;
Steven&lt;/P&gt;</description>
      <pubDate>Mon, 20 Feb 2017 10:08:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308543#M58096</guid>
      <dc:creator>ikulcsar</dc:creator>
      <dc:date>2017-02-20T10:08:20Z</dc:date>
    </item>
    <item>
      <title>Re: Heavy Forwader data route between multiple indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308544#M58097</link>
      <description>&lt;P&gt;Finally, I found the problem. I made a typo in the transforms.conf file name. btool helps me to find the error.&lt;/P&gt;</description>
      <pubDate>Mon, 20 Feb 2017 15:06:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwader-data-route-between-multiple-indexer/m-p/308544#M58097</guid>
      <dc:creator>ikulcsar</dc:creator>
      <dc:date>2017-02-20T15:06:41Z</dc:date>
    </item>
  </channel>
</rss>

