So my issue is that I am not sure how to get Splunk to separate data on the indexer.
I am trying to listen on the forwarder port 514 (for Linux syslog) and 6161 (for windows event logs), I use _tcp_routing to send it to a tcpout targetgroup associated with the indexer ports 9997, and 9998. which allows me to have a splunktcp:// index= for each port.
Am I doing this all wrong, and how can I get Splunk to separate the windows and Linux logs into two different indexes?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarder:
fwd inputs.conf-
[scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled=0
[tcp://514]
_TCP_ROUTING=Linux
[tcp://6161]
_TCP_ROUTING=Windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
fwd outputs.conf -
[tcpout]
defaultGroup=Windows, Linux
[tcpout:Windows]
server=(server ip):9997
[tcpout:Linux]
server=(server ip):9998
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
indexer:
index inputs.conf -
[default]
host = somehost1
[tcp://9997]
index=windowseventlogs
connection_host=dns
[tcp://9998]
index=linuxauditlogs
connection_host=dns
Hi There,
It may be worth putting the index=windowseventlogs & index=linuxauditlogs within the inputs.conf on the Heavy Forwarder as well for the relevant inputs, ensure you restart the service after making the amendment
Thanks for the response!
Adding the index= directly to the universal forwarder instead of only on the indexer worked for me.
Hi There,
It may be worth putting the index=windowseventlogs & index=linuxauditlogs within the inputs.conf on the Heavy Forwarder as well for the relevant inputs, ensure you restart the service after making the amendment