https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354520#M64832 <P>Guys-</P> <P>I'm facing an (apparantely) challenging task:<BR /> I have a standalon splunk test instance which serves as a first point of ingestion for new inputs- however, what i want to achieve is the following:<BR /> As this instance runs on a windows server i want to have the configured os inputs (eventlog, perfmon) to be forwarded to our production instance and keep the rest local indexed.</P> <P>What I have tried so far:</P> <P>Easiest approach from my pov:<BR /> Created an outputs.conf</P> <PRE><CODE>[tcpout:fwd_to_prod] server = t800.skynet.net:9997 </CODE></PRE> <P>And a referring input in inputs.conf as follows:</P> <PRE><CODE>[WinEventLog://Application] _TCP_ROUTING = fwd_to_prod </CODE></PRE> <P>Result: EVERYTHING is going to be forwarded to my production instance, including all internal stuff</P> <P>After some research i tried it with the more complicated way, using a transforms to do so:<BR /> I had the same outputs.conf:</P> <PRE><CODE>[tcpout:fwd_to_prod] server = t800.skynet.net:9997 </CODE></PRE> <P>Added the following transforms stanza in transforms.conf:</P> <PRE><CODE>#forward win events to prod splunk [forward_prod] DEST_KEY = _TCP_ROUTING FORMAT = fwd_to_prod REGEX = . </CODE></PRE> <P>Then i referred to my transforms in my props.conf:</P> <PRE><CODE>[WinEventLog://Application] TRANSFORMS-App = forward_prod </CODE></PRE> <P>Result: EVERYTHING is going to be forwarded to my production instance, including all internal stuff</P> <P>Its weird somehow - <BR /> Yes i did read the docs, and yes, i'm aware that forwardandIndex and selectiveIndex is a way but it the docs all refer to the other way round, indexing one type and forward everything else! I don't want to set "_INDEX_AND_FORWARD_ROUTING" on all my inputs expect the windows one as you might understand. </P> <P>I even tried to add a dummy tcp output group as default group in my outputs.conf with no effect - adding the "localhost" as the default target group resulted in no forwarding or indexing at all.</P> <P>Any help is appreciated</P> <P>Cheers</P> Tue, 29 Sep 2020 13:13:38 GMT claudio_manig 2020-09-29T13:13:38Z https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354520#M64832 <P>Guys-</P> <P>I'm facing an (apparantely) challenging task:<BR /> I have a standalon splunk test instance which serves as a first point of ingestion for new inputs- however, what i want to achieve is the following:<BR /> As this instance runs on a windows server i want to have the configured os inputs (eventlog, perfmon) to be forwarded to our production instance and keep the rest local indexed.</P> <P>What I have tried so far:</P> <P>Easiest approach from my pov:<BR /> Created an outputs.conf</P> <PRE><CODE>[tcpout:fwd_to_prod] server = t800.skynet.net:9997 </CODE></PRE> <P>And a referring input in inputs.conf as follows:</P> <PRE><CODE>[WinEventLog://Application] _TCP_ROUTING = fwd_to_prod </CODE></PRE> <P>Result: EVERYTHING is going to be forwarded to my production instance, including all internal stuff</P> <P>After some research i tried it with the more complicated way, using a transforms to do so:<BR /> I had the same outputs.conf:</P> <PRE><CODE>[tcpout:fwd_to_prod] server = t800.skynet.net:9997 </CODE></PRE> <P>Added the following transforms stanza in transforms.conf:</P> <PRE><CODE>#forward win events to prod splunk [forward_prod] DEST_KEY = _TCP_ROUTING FORMAT = fwd_to_prod REGEX = . </CODE></PRE> <P>Then i referred to my transforms in my props.conf:</P> <PRE><CODE>[WinEventLog://Application] TRANSFORMS-App = forward_prod </CODE></PRE> <P>Result: EVERYTHING is going to be forwarded to my production instance, including all internal stuff</P> <P>Its weird somehow - <BR /> Yes i did read the docs, and yes, i'm aware that forwardandIndex and selectiveIndex is a way but it the docs all refer to the other way round, indexing one type and forward everything else! I don't want to set "_INDEX_AND_FORWARD_ROUTING" on all my inputs expect the windows one as you might understand. </P> <P>I even tried to add a dummy tcp output group as default group in my outputs.conf with no effect - adding the "localhost" as the default target group resulted in no forwarding or indexing at all.</P> <P>Any help is appreciated</P> <P>Cheers</P> Tue, 29 Sep 2020 13:13:38 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354520#M64832 claudio_manig 2020-09-29T13:13:38Z https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354521#M64833 <P>Something like this should work</P> <P>etc/system/local/outputs.conf (configure selective indexing)</P> <PRE><CODE>[indexAndForward] index=true selectiveIndexing=true [tcpout:fwd_to_prod] server = yourIndexer:9997 </CODE></PRE> <P>etc/system/local/inputs.conf (configure default behaviour as local indexing for all data inputs)</P> <PRE><CODE>[default] _INDEX_AND_FORWARD_ROUTING = MySecKey </CODE></PRE> <P>Add the _TCP_ROUTING attribute to the stanzas of each input that you want to forward. E.g.</P> <PRE><CODE>[WinEventLog://Application] _TCP_ROUTING=fwd_to_prod </CODE></PRE> Tue, 29 Sep 2020 13:13:41 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354521#M64833 somesoni2 2020-09-29T13:13:41Z https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354522#M64834 <P>Oh I see i missed the [default] option in inputs.conf to make it global - worked like a charm, thanks a lot!<BR /> Can you do me another favour and use my first hostname on your answer - thx</P> Tue, 14 Mar 2017 14:45:18 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-but-one-input/m-p/354522#M64834 claudio_manig 2017-03-14T14:45:18Z