Deployment Architecture

need to limit what servers are sending logs to an indexer

Path Finder

We have multiple window SUFs sending logs to a HF that then divide the winevent:security logs between two indexers. One indexer needs to receive logs from all servers, the second indexer needs to receive logs from only particular servers.

Any idea on how i can go about setting this up? I have a custom transform and props configs that will split the event ids between the two indexers, but i need to limit which servers go to the second indexer as well.

Tags (1)
0 Karma


On the heavy forwarder:

  1. Create and output group:


  2. Configure a props entry for the sourcetype in question:

    TRANSFORMS-index = hostRedirect

  3. Create the output routing transforms.conf:

    SOURCE_KEY = host
    REGEX = (host1|host2|host3|host4)

0 Karma

Path Finder

This looks to break things.

Simplifying my setup a bit, IDX-1 receives limited eventIDs for all hosts, IDX-2 receives all eventIDs for a subset of hosts.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...