Deployment Architecture

routing assistance config - HEC to multiple envs

Esky73
Builder

i am receiving data via HEC to a SH which then sends to an index tier.

I've like to also send this data to a secondary indexing tier which is a separate env - need some clarification with the config is the section 'Forward data for a single index only' relevant here - will it still index locally ?

http://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Routeandfilterdatad#Perform_selective_i...

[tcpout]
#Disable the current filters from the defaults outputs.conf
forwardedindex.0.whitelist = 
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

#Forward data for the "myindex" index
forwardedindex.0.whitelist = myindex
Tags (1)
0 Karma

shelde_msearles
New Member

Did this end up working as you expected?

0 Karma

xpac
SplunkTrust
SplunkTrust

So - you want to send the HEC data to two different destinations?
You sent ALL data from that instance to a certain index tier, by default, and for some data, want to also send that data to a second destination?

0 Karma

Esky73
Builder

hey xpac - correct.

It's not an ideal scenario - just a workaround to send the HEC data to another test env.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...