Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I clone data from a HF to two different splunk instances?

lucacaldiero
Path Finder
Tuesday

How can I clone data from a HF to two different splunk instances? Doubling defaultgroup in outputs.conf does not work.

 

 

 

#splunk #clone #heavyforwarder

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
Tuesday

@lucacaldiero 

If you want to clone all data from the Heavy Forwarder to both destinations, this should be sufficient.

[tcpout]
defaultGroup = newgroup,oldgroup

[tcpout:newgroup]
server = xxxx.xxxx.xxxx:9997

[tcpout:oldgroup]
server = xx.xx.xx.xx:9997


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Tuesday

Hi @lucacaldiero ,

a people from Splunk Support said to me that this solution shouldn't run, but I used it with success:

outputs.conf
[tcpout:newgroup]
server=server = xxxx.xxxx.xxxx.:9997

[tcpout:oldgroup]
server=xx.xx.xx.xx:9997

Don't use defaultGroup.

In this way, you send all logs to both the destinations.

Ciao.

Giuseppe

0 Karma
Reply

lucacaldiero
Path Finder
Tuesday

is something like this correct?

props.conf
[default]
TRANSFORMS-routing=alldata

transforms.conf
[alldata]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=newgroup

outputs.conf
[tcpout]
defaultGroup=oldgroup

[tcpout:newgroup]
server=server = xxxx.xxxx.xxxx.:9997

[tcpout:oldgroup]
server=xx.xx.xx.xx:9997

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Tuesday

Hi @lucacaldiero 

In your transforms.conf you would need to have both groups in the _TCP_ROUTING:

[alldata]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=newgroup,oldgroup

This will also only work for data ingested directly on the UF, or sent to it from a UF as otherwise it would arrive already parsed, however setting both groups in outputs.conf should work I think - how come this didnt work for you?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...