Solved: Configure selective indexing to send all logs to a...

sbattista09 · ‎09-18-2017

i am bit lost on selective indexing. I wanted to configure on of my prod indexers to send logs to a dev indexer and after reading up on some documents i feel i am missing something. below would be the config i would apply anyone have tips on what i am missing?

-Prod indexer-
outsputs.conf-
[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:send_to_dev]
server = dev_indexer:9997

-inputs.conf-
add _INDEX_AND_FORWARD_ROUTING=send_to_dev to all inputs.conf stanzas on the prod indexer.

-Dev indexer inputs.conf-
add a inputs.conf stanza that will listen for prod_index:9997

tmarlette · ‎09-18-2017

Try this article.

To send data to a separate indexer or set of indexers, you will need to use the _TCP_ROUTING setting in inputs.conf

http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Routeandfilterdatad

View solution in original post

tmarlette · ‎09-18-2017

Try this article.

To send data to a separate indexer or set of indexers, you will need to use the _TCP_ROUTING setting in inputs.conf

http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Routeandfilterdatad

Configure selective indexing to send all logs to a dev indexer

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation