Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward Data to Independent Indexer

jwelters
Explorer
‎05-07-2013 04:34 AM

I'm trying to determine how to send my data as it's being indexed to a a secondary indexer. That in itself is easy, the catch is currently I have many indexes and the indexer I'm required to send the data to has one.

So I need to forward indexed data to a single index on a remote indexer. I have no ability to configure the remote indexer.

Does anyone have any suggestions that may help in accomplishing this ?

Tags (2)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎05-07-2013 05:13 AM

There are ways to index and forward data, but I believe that the built in method sends index specific data, so you would have to have a duplicate config. If you aren't worried about license, you can send all the indexed data as syslog to the remote indexer, and have it re-index there on the single index.

[syslog]
defaultGroup = <target_group>, <target_group>, ...
[syslog:<target_group>]
server = [<ip>|<servername>]:<port>

0 Karma
Reply

jwelters
Explorer
‎05-07-2013 09:24 AM

You are correct, except for how do I configure it so when I send it I'm able to send data from multiple indexes to one. I only have one index as the destination however I have multiple on my system. So far syslog seems to be the only approach I can find that might work,however the lack of encryption is concerning.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎05-07-2013 05:19 AM

The you'll want to follow this: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Forwarddatatothird-partysystemsd#TCP_data . You can send it TCP (uncooked) and have the remote accept it as a normal tcp input.

0 Karma
Reply

jwelters
Explorer
‎05-07-2013 05:15 AM

I thought of sending it as syslog, however the encryption of forwarding it as Splunk data is desired. I don't care about the remote indexers licensing whatsoever. The challenge as you mention is sending data from 30+ indexes to one index. Syslog might be the only option for us.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...