We got several IIS servers and want to index IIS logs into Splunk. However, we need to seperate some of the servers to a seperate indexer due to different needs for Access controll and retention.
Is there a way to get IIS logs from some servers to one index and logs from anorther server to another index?
Using universal forwarders. running Splunk 7.2.6 , Windows 2012RS, single instance.
You should not be using separate indexers
, you should be using separate index values
on the same indexer
and using roles-based access
feature to control who gets to use/see what. Hopefully that is what you meant. You can do it the hard way
at the indexers like this:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Or you can do it the easy way
by either:
1: creating 2 apps and deploying one with index=foo
to 1 class of servers and the other with index=bar
to the other class.
2: using a single app and creating a set of universal host-based
stanzas to the appropriate UFs like this:
[host::foo1]
index = foo
[host::foo2]
index = foo
[host::foo3]
index = foo
[host::foo4]
index = foo
[host::bar1]
index = bar
[host::bar2]
index = bar
[host::bar3]
index = bar
[host::bar4]
index = bar
You should not be using separate indexers
, you should be using separate index values
on the same indexer
and using roles-based access
feature to control who gets to use/see what. Hopefully that is what you meant. You can do it the hard way
at the indexers like this:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
Or you can do it the easy way
by either:
1: creating 2 apps and deploying one with index=foo
to 1 class of servers and the other with index=bar
to the other class.
2: using a single app and creating a set of universal host-based
stanzas to the appropriate UFs like this:
[host::foo1]
index = foo
[host::foo2]
index = foo
[host::foo3]
index = foo
[host::foo4]
index = foo
[host::bar1]
index = bar
[host::bar2]
index = bar
[host::bar3]
index = bar
[host::bar4]
index = bar
OP said "indexes", not "indexers"
I think somebody edited and fixed it.
You can use different server classes (with associated different inputs.conf) going to IIS servers of Type A vs Type B
Yes, you do need to maintain two (or more) UF apps, but you can get pretty granular on what endpoints show up in what server class
HI @erikwie,
You have to override index value for some events on Indexers not on Universal Forwarders.
Following the infos at https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Advancedsourcetypeoverrides
in props.conf
[host::your_host]
TRANSFORMS-index = overrideindex
(a stanza for each host or you can use jolly chars)
in transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index
Ciao.
Giuseppe