Re: Can you send different logs to different Index...

zbumpers · ‎02-25-2015

I would like to be able to send Log A to Indexer A and Log B to Indexer B from one forwarder.

vincenteous · ‎02-25-2015

Hi zbumpers,

From my experience, it is possible to achieve this. You just need to set the proper indexer destination in outputs.conf of the forwarder. Create tcpout groups and then specify the groups to the proper monitoring stanza in inputs.conf. For example, something like this:

Your indexers: 192.168.56.101:8089 and 192.168.56.102:8089

In your forwarder:
outputs.conf:

[tcpout:IndexerA]
server=192.168.56.101:8089
....
....

[tcpout:IndexerB]
server=192.168.56.102:8089
....
....

inputs.conf:

[monitor:///path/to/log/A/logA.log]
# Add attributes to your monitor like sourcetype, index, etc
....
....
# In the end, specify to which indexer this log should be sent using _TCP_ROUTING = <group name>
_TCP_ROUTING = IndexerA

# Do the same for log B
[monitor:///path/to/log/B/logB.log]
....
....
_TCP_ROUTING = IndexerB

Restart the forwarder and see the result. Hope this helps.

References:
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/Outputsconf
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd

Can you send different logs to different Indexers from the same forwarder?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life