Deployment Architecture
Highlighted

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Explorer

How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

For example: I have two indexes indextest1 and indextest2 and have 4 servers (A,B,C,D) configured to forward the data. I want only servers A and B should send the data to indextest1 and B & C should send the data to indextest2.

Sample stanza:

[monitor:////var/log/test/app/test.log]
index=indextest1
sourcetype = test
Log
source = testlogf1
disabled = 0

Reason why I am looking for it is, lets say if someone made a typo then the intended data will be pushed to incorrect/wrong index.

0 Karma
Highlighted

Re: How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Hello @sunnyb147

I think something like below will work for you:
props.conf

    [host::A|B]
    TRANSFORMS-datafilter = route_to_correct_index

    [host::C|D]
    TRANSFORMS-datafilter = route_to_correct_index2

Transforms.conf

[route_to_correct_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test1

[route_to_correct_index2]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test2
0 Karma
Highlighted

Re: How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?

Place this setting on HF or Indexer

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.