Getting Data In

HF different index names for each target group

stephenmuss
Engager

I have a Splunk enterprise cluster which also needs to forward some logs to a completely separate Splunk cluster.

I couldn't easily find a way in my heavy forwarder config to sends logs locally to one index and to another index in the remote cluster.

In my outputs.conf I have [tcpout:local] and [tcpout:remote]

My props.conf

[syslog]
TRANSFORMS-routing = remote-routing

And transforms.conf

[remote-routing]
REGEX = .
DEST_KEY = _TCP_ROUTING
# route to local Splunk and remote Splunk
FORMAT = local,remote

How can I update this so that locally logs go to a syslog index (the default) and in the remote Splunk they go to an index syslog_xyz?

codebuilder
Influencer

You'll need to use syslog stanzas in outputs.conf instead of tcp.

Such as this example taken from the documentation:
[syslog]
defaultGroup=everythingElseGroup

[syslog:syslogGroup]
server = 10.1.1.197:9997

[syslog:errorGroup]
server=10.1.1.200:9999

[syslog:everythingElseGroup]
server=10.1.1.250:6666

Though you'll also want to set type = tcp as udp is the default.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Outputsconf#Syslog_output----

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

progre55
Engager

@stephenmuss have you been able to find a solution? I'm facing the same challenge.

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...