I'm trying to determine how to send my data as it's being indexed to a a secondary indexer. That in itself is easy, the catch is currently I have many indexes and the indexer I'm required to send the data to has one.
So I need to forward indexed data to a single index on a remote indexer. I have no ability to configure the remote indexer.
Does anyone have any suggestions that may help in accomplishing this ?
There are ways to index and forward data, but I believe that the built in method sends index specific data, so you would have to have a duplicate config. If you aren't worried about license, you can send all the indexed data as syslog to the remote indexer, and have it re-index there on the single index.
[syslog]
defaultGroup = <target_group>, <target_group>, ...
[syslog:<target_group>]
server = [<ip>|<servername>]:<port>
You are correct, except for how do I configure it so when I send it I'm able to send data from multiple indexes to one. I only have one index as the destination however I have multiple on my system. So far syslog seems to be the only approach I can find that might work,however the lack of encryption is concerning.
The you'll want to follow this: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd#TCP_data
. You can send it TCP (uncooked) and have the remote accept it as a normal tcp input.
I thought of sending it as syslog, however the encryption of forwarding it as Splunk data is desired. I don't care about the remote indexers licensing whatsoever. The challenge as you mention is sending data from 30+ indexes to one index. Syslog might be the only option for us.