Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk ingest actions

Richy_s
Path Finder
‎01-24-2025 05:59 AM

Hello,

 

I'm using Splunk's ingest actions to aggregate logs and have created a destination and ruleset to forward copies to my S3 bucket, while sending filtered data to Splunk indexers. This setup is running on a Splunk Heavy Forwarder (HF), which receives logs on port 9997 from a syslog collector that gathers data from various sources. With the ingest actions feature, I'm limited to setting up a single sourcetype (possibly "syslog") and writing rules to filter and direct data to different indexes based on the device type. However, I also want to separate the data based on sourcetypes. I'm currently stuck on how to achieve this. Has anyone tried a similar solution or have any advice?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 07:36 AM

While there might be a solution using props/transforms (most probably not with just ingest actions), it seems it could be better done on a previous layer - configure such split in your syslog receiver and adjust metadata when sending to HEC or writing to files for pickup by your HF.

0 Karma
Reply

Richy_s
Path Finder
‎01-24-2025 10:24 AM

Thanks @PickleRick I have very less visibility and access issues on the source side, while I understand it is the easiest way to do this on the client side, I am trying to understand what are the possibilities at I have or can do on my HF on which I have full control.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...