Deployment Architecture

Can you configure a Universal Forwarder output to send to two separate Heavy Forwarders?

Log_wrangler
Builder

I need to send two copies of events to two different HFs (not load-balanced).

I want to use a UF on a server to send events to a HF which will send cooked to the indexers, and I want the UF to send the same events to a different HF that will send raw (uncooked) events to a 3rd party.

Can the UF handle sending the data twice?

Thank you

1 Solution

markusspitzli
Communicator

Hey.

This documentation will help you: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Basically you have to configure two different destinations in outputs.conf:

[tcpout]
defaultGroup=myroute

[tcpout:myroute]
disabled=false
server=10.1.12.1:9997

[tcpout:anotherroute]
disabled=false
server=10.1.12.2:9997

Then you have to configure the props.conf for which sourcetype, host, or source you want to clone the data.

[mysourcetype]
TRANSFORMS-routing = routing

[host::myhost]
TRANSFORMS-routing = routing

[source::/var/log/messages]
TRANSFORMS-routing = routing

Of course you have to configure the transforms.conf

[routing]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=myroute,anotherroute

that should do the job

View solution in original post

0 Karma

markusspitzli
Communicator

Hey.

This documentation will help you: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Basically you have to configure two different destinations in outputs.conf:

[tcpout]
defaultGroup=myroute

[tcpout:myroute]
disabled=false
server=10.1.12.1:9997

[tcpout:anotherroute]
disabled=false
server=10.1.12.2:9997

Then you have to configure the props.conf for which sourcetype, host, or source you want to clone the data.

[mysourcetype]
TRANSFORMS-routing = routing

[host::myhost]
TRANSFORMS-routing = routing

[source::/var/log/messages]
TRANSFORMS-routing = routing

Of course you have to configure the transforms.conf

[routing]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=myroute,anotherroute

that should do the job

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...