Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forward specific index to a specific receiver
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
i have three index : A, B, C on my heavy forwarder and i want to forward to different receiver,
example : A to X, B to Y and C to Y too
How can i do that ?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you actually have indexes on your forwarder - it isn't just a forwarder anymore, it is also an indexer and it needs a license.
Second, if you can, route the events to the receiver based on sourcetype or source or host - not index, if possible:
props.conf
[sourcetypeA1]
TRANSFORM-a1=routeToReceiverX
[sourcetypeA2]
TRANSFORM-a2=routeToReceiverX
[sourcetypeB]
TRANSFORM-b1=routeToReceiverY
etc
transforms.conf
[routeToReceiverX]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
etc
outputs.conf
[tcpout:ReceiverXGroup]
server=ReceiverX:9997
[tcpout:ReceiverYGroup]
server=ReceiverY:9997
If you must route based on index, do this in props.conf and transforms.conf instead (outputs.conf stays the same):
props.conf
[host::*]
TRANSFORM-h1=routeToReceiverX,routeToReceiverY,routeToReceiverZ
transforms.conf
[routeToReceiverX]
SOURCE_KEY=_MetaData:Index
REGEX=A
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
[routeToReceiverY]
SOURCE_KEY=_MetaData:Index
REGEX=B
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverYGroup
I am not entirely sure that this second method will work...
Here is a link to the documentation on Route and filter data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you actually have indexes on your forwarder - it isn't just a forwarder anymore, it is also an indexer and it needs a license.
Second, if you can, route the events to the receiver based on sourcetype or source or host - not index, if possible:
props.conf
[sourcetypeA1]
TRANSFORM-a1=routeToReceiverX
[sourcetypeA2]
TRANSFORM-a2=routeToReceiverX
[sourcetypeB]
TRANSFORM-b1=routeToReceiverY
etc
transforms.conf
[routeToReceiverX]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
etc
outputs.conf
[tcpout:ReceiverXGroup]
server=ReceiverX:9997
[tcpout:ReceiverYGroup]
server=ReceiverY:9997
If you must route based on index, do this in props.conf and transforms.conf instead (outputs.conf stays the same):
props.conf
[host::*]
TRANSFORM-h1=routeToReceiverX,routeToReceiverY,routeToReceiverZ
transforms.conf
[routeToReceiverX]
SOURCE_KEY=_MetaData:Index
REGEX=A
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverXGroup
[routeToReceiverY]
SOURCE_KEY=_MetaData:Index
REGEX=B
DEST_KEY=_TCP_ROUTING
FORMAT=ReceiverYGroup
I am not entirely sure that this second method will work...
Here is a link to the documentation on Route and filter data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks lguinn,
Damien
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
