routing assistance config - HEC to multiple envs

Esky73 · ‎05-20-2018

i am receiving data via HEC to a SH which then sends to an index tier.

I've like to also send this data to a secondary indexing tier which is a separate env - need some clarification with the config is the section 'Forward data for a single index only' relevant here - will it still index locally ?

http://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Routeandfilterdatad#Perform_selective_i...

[tcpout]
#Disable the current filters from the defaults outputs.conf
forwardedindex.0.whitelist = 
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =

#Forward data for the "myindex" index
forwardedindex.0.whitelist = myindex

shelde_msearles · ‎03-19-2019

Did this end up working as you expected?

xpac · ‎05-21-2018

So - you want to send the HEC data to two different destinations?
You sent ALL data from that instance to a certain index tier, by default, and for some data, want to also send that data to a second destination?

Esky73 · ‎05-21-2018

hey xpac - correct.

It's not an ideal scenario - just a workaround to send the HEC data to another test env.

routing assistance config - HEC to multiple envs

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio