Getting Data In

From a Heavy Forwarder to an Indexer, how can I get Splunk to separate Windows and Linux logs into two different indexes?

New Member

So my issue is that I am not sure how to get Splunk to separate data on the indexer.

I am trying to listen on the forwarder port 514 (for Linux syslog) and 6161 (for windows event logs), I use _tcp_routing to send it to a tcpout targetgroup associated with the indexer ports 9997, and 9998. which allows me to have a splunktcp:// index= for each port.

Am I doing this all wrong, and how can I get Splunk to separate the windows and Linux logs into two different indexes?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarder:
fwd inputs.conf-
[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0

[tcp://514]
_TCP_ROUTING=Linux

[tcp://6161]
_TCP_ROUTING=Windows

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fwd outputs.conf -

[tcpout]
defaultGroup=Windows, Linux

[tcpout:Windows]
server=(server ip):9997

[tcpout:Linux]
server=(server ip):9998

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
indexer:

index inputs.conf -

[default]
host = somehost1

[tcp://9997]
index=windowseventlogs
connection_host=dns

[tcp://9998]
index=linuxauditlogs
connection_host=dns

0 Karma
1 Solution

Communicator

Hi There,

It may be worth putting the index=windowseventlogs & index=linuxauditlogs within the inputs.conf on the Heavy Forwarder as well for the relevant inputs, ensure you restart the service after making the amendment

View solution in original post

0 Karma

New Member

Thanks for the response!

Adding the index= directly to the universal forwarder instead of only on the indexer worked for me.

0 Karma

Communicator

Hi There,

It may be worth putting the index=windowseventlogs & index=linuxauditlogs within the inputs.conf on the Heavy Forwarder as well for the relevant inputs, ensure you restart the service after making the amendment

View solution in original post

0 Karma