Re: How can I forward data from UniversalForwarder...

Klimdy · ‎04-02-2018

I have universal forwarder with Splunk_TA_Stream and my app _server_app_audit where in inputs.conf I write _TCP_Routing = mygroup1 or 2 at each app. After that, I write into outputs.conf [tcpout:mygroup1 or 2] server = index1:9997 or 2 at each app but stream sends data to all indexes.

p_gurav · ‎04-02-2018

Can you please give sample configuration files to understand requirement more?

Klimdy · ‎04-02-2018

inputs.conf in Splunk_TA_Stream on forwarder:

[streamfwd://streamfwd]
_TCP_ROUTING = testGroup
splunk_stream_app_location = https://my_indexer2:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0

outputs.conf in Splunk_TA_Stream on forwarder:

[tcpout:testgroup]
server = my_indexer2:9997

and i have a second app on forwarder:

inputs.conf in _server_app_my_app on forwarder:

[monitor:///var/log/audit/audit.log]
_TCP_ROUTING = prodgroup
disabled = false
index = auditd
sourcetype = linux:audit

ouputs.conf in _server_app_my_app on forwarder:

[tcpout:prodgroup]
server = my_indexer1:9997

Before, I had outputs.conf in /local but i deleted it and after that restart splunkforwarder. Deployment server is my_indexer1, i need stream data routing to my_indexer2 and linux:audit to my_indexer1, but stream data is routing on 2 indexer.

How can I forward data from UniversalForwarder for 2 instances?

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...