HF different index names for each target group

stephenmuss · ‎04-02-2019

I have a Splunk enterprise cluster which also needs to forward some logs to a completely separate Splunk cluster.

I couldn't easily find a way in my heavy forwarder config to sends logs locally to one index and to another index in the remote cluster.

In my outputs.conf I have [tcpout:local] and [tcpout:remote]

My props.conf

[syslog]
TRANSFORMS-routing = remote-routing

And transforms.conf

[remote-routing]
REGEX = .
DEST_KEY = _TCP_ROUTING
# route to local Splunk and remote Splunk
FORMAT = local,remote

How can I update this so that locally logs go to a syslog index (the default) and in the remote Splunk they go to an index syslog_xyz?

codebuilder · ‎05-06-2020

You'll need to use syslog stanzas in outputs.conf instead of tcp.

Such as this example taken from the documentation:
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

Though you'll also want to set type = tcp as udp is the default.

----
An upvote would be appreciated and Accept Solution if it helps!

progre55 · ‎05-06-2020

@stephenmuss have you been able to find a solution? I'm facing the same challenge.