Deployment Architecture

How to forward filtered events from Splunk to another Splunk receiver

gblondeau
New Member

Hi everyone,

I'm looking for a solution to forward some events to another Splunk Server. I need to forward specific events only (eg. events with httpCode=500). I saw in the documentation that I can deploy a universal forwarder and then configure filters by editing props.conf. From what I understood, forwarders are set up on each server where we need to capture data. I would like to avoid this and have a centralized solution.

I'm wondering if it's the only way to do it. Is it possible to set a search in Splunk web UI and then send the events to a particular server?

My concern is to be able to filter events from a centralized server.

Thanks for your help

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi gblondeau,

you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.

hope this helps to get you started ...

cheers, MuS

View solution in original post

MuS
Legend

Hi gblondeau,

you can setup a deployment server which will be the centralized configuration server for the universal forwarders. Nevertheless, filtering will be done in your case on an indexer, because this is data parsing which will not be done by the universal forwarder. So you must setup props.conf and transforms.conf according the docs on your indexer.

hope this helps to get you started ...

cheers, MuS

MuS
Legend

Regarding the configuration: basically you could also use any other tool that is able to change files on a server, like Puppet.
Regarding the filtering: no, this is how it is done 🙂

0 Karma

gblondeau
New Member

Hey Mus,

Thanks for your answer. I'll take a look at the deployment server + universal forwarder.

Otherwise, is there any other solution?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...