My question is, is it possible to only forward specific data to my Splunk environment?
So my situation is:
I have a distributed production environment and 2 separate development servers with standalone instances of Splunk. I want to forward the linux logs from my DEV servers to my production environment, is this possible without forwarding other data we index in this development environment? We put data into these dev servers before we put it into production so we don't want all of the data we have going into dev forwarding to production, we only want the linux server logs!
I thought about installing a separate UF on the dev boxes and getting that to do the job but the management port 8089 is already in use from the main splunk instance and it's a bit of a hassle setting stuff up for a new management port etc.
if you want to forwarde all Linux logs, you could configure the Universal Forwarders on Linux Servers to send logs to both DEV and Production servers.
If instead you want to send logs from DEV Splunk Server to Production servers, see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Filter and route event data to target groups"
Remeber that you'are indexing twice your logs!
Maybe (I don't know if it's compatible with your security policies), you could send Linux logs only to Production Systems and, configuring you DEV Splunk as Search Head, search Linux logs on production systems.