Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forward specific index to a specific receiver
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
i have three index : A, B, C on my heavy forwarder and i want to forward to different receiver,
example : A to X, B to Y and C to Y too
How can i do that ?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you actually have indexes on your forwarder - it isn't just a forwarder anymore, it is also an indexer and it needs a license.
Second, if you can, route the events to the receiver based on sourcetype or source or host - not index, if possible:
props.conf
[sourcetypeA1]
TRANSFORM-a1=routeToReceiverX
[sourcetypeA2]
TRANSFORM-a2=routeToReceiverX
[sourcetypeB]
TRANSFORM-b1=routeToReceiverY
etc
transforms.conf
[routeToReceiverX]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
etc
outputs.conf
[tcpout:ReceiverXGroup]
server=ReceiverX:9997
[tcpout:ReceiverYGroup]
server=ReceiverY:9997
If you must route based on index, do this in props.conf and transforms.conf instead (outputs.conf stays the same):
props.conf
[host::*]
TRANSFORM-h1=routeToReceiverX,routeToReceiverY,routeToReceiverZ
transforms.conf
[routeToReceiverX]
SOURCE_KEY=_MetaData:Index
REGEX=A
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
[routeToReceiverY]
SOURCE_KEY=_MetaData:Index
REGEX=B
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverYGroup
I am not entirely sure that this second method will work...
Here is a link to the documentation on Route and filter data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you actually have indexes on your forwarder - it isn't just a forwarder anymore, it is also an indexer and it needs a license.
Second, if you can, route the events to the receiver based on sourcetype or source or host - not index, if possible:
props.conf
[sourcetypeA1]
TRANSFORM-a1=routeToReceiverX
[sourcetypeA2]
TRANSFORM-a2=routeToReceiverX
[sourcetypeB]
TRANSFORM-b1=routeToReceiverY
etc
transforms.conf
[routeToReceiverX]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
etc
outputs.conf
[tcpout:ReceiverXGroup]
server=ReceiverX:9997
[tcpout:ReceiverYGroup]
server=ReceiverY:9997
If you must route based on index, do this in props.conf and transforms.conf instead (outputs.conf stays the same):
props.conf
[host::*]
TRANSFORM-h1=routeToReceiverX,routeToReceiverY,routeToReceiverZ
transforms.conf
[routeToReceiverX]
SOURCE_KEY=_MetaData:Index
REGEX=A
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
[routeToReceiverY]
SOURCE_KEY=_MetaData:Index
REGEX=B
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverYGroup
I am not entirely sure that this second method will work...
Here is a link to the documentation on Route and filter data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks lguinn,
Damien
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
