Deployment Architecture

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

sunnyb147
Path Finder

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

For example: I have two indexes index_test1 and index_test2 and have 4 servers (A,B,C,D) configured to forward the data. I want only servers A and B should send the data to index_test1 and B & C should send the data to index_test2.

Sample stanza:

[monitor:////var/log/test/app/test.log]
index=index_test1
sourcetype = test_Log
source = test_log_f1
disabled = 0

Reason why I am looking for it is, lets say if someone made a typo then the intended data will be pushed to incorrect/wrong index.

0 Karma

vishaltaneja070
Motivator

Hello @sunnyb147

I think something like below will work for you:
props.conf

    [host::A|B]
    TRANSFORMS-datafilter = route_to_correct_index

    [host::C|D]
    TRANSFORMS-datafilter = route_to_correct_index2

Transforms.conf

[route_to_correct_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test1

[route_to_correct_index2]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test2
0 Karma

vishaltaneja070
Motivator

Place this setting on HF or Indexer

0 Karma