We have multiple window SUFs sending logs to a HF that then divide the winevent:security logs between two indexers. One indexer needs to receive logs from all servers, the second indexer needs to receive logs from only particular servers.
Any idea on how i can go about setting this up? I have a custom transform and props configs that will split the event ids between the two indexers, but i need to limit which servers go to the second indexer as well.
On the heavy forwarder:
Create and output group:
outputs.conf:
[tcpout:hostGroup]
server=10.20.30.40:9999
Configure a props entry for the sourcetype in question:
[sourcetype_to_split]
TRANSFORMS-index = hostRedirect
Create the output routing transforms.conf:
[hostRedirect]
SOURCE_KEY = host
REGEX = (host1|host2|host3|host4)
IndexDEST_KEY=_TCP_ROUTING
FORMAT=hostGroup
This looks to break things.
Simplifying my setup a bit, IDX-1 receives limited eventIDs for all hosts, IDX-2 receives all eventIDs for a subset of hosts.