Getting Data In

How can I route data to specific indexers using a heavy forwarder?

MAShawky
Explorer

I have a universal forwarder that sends 2 source types to heavy forwarder successfully. i need this heavy forwarder to route the received source types between 2 indexers.

My configurations on heavy forwarder is like below

props.conf

[cron]
 TRANSFORMS-routing=cron-route

[syslog]
 TRANSFORMS-routing=syslog-route

Transforms.conf

[cron-route]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-1

[syslog-route]
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-2,indexer-1

outputs.conf

[tcpout:indexer-1]
server = 192.168.14.14:9997

[tcpout:indexer-2]
server = 192.168.14.15:9997

Thanks in advance

1 Solution

jcrabb_splunk
Splunk Employee
Splunk Employee

The document that discusses this can be found here:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad#Filter_and_route_ev...

At first glance, your configuration appears to be mostly right. I think you will also need to include the "REGEX" setting under each transforms.conf stanza.

[cron-route]
REGEX = (.)
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-1

[syslog-route]
REGEX = (.)
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-2,indexer-1

Try and and see if that works.

Jacob
Sr. Technical Support Engineer

View solution in original post

jcrabb_splunk
Splunk Employee
Splunk Employee

The document that discusses this can be found here:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad#Filter_and_route_ev...

At first glance, your configuration appears to be mostly right. I think you will also need to include the "REGEX" setting under each transforms.conf stanza.

[cron-route]
REGEX = (.)
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-1

[syslog-route]
REGEX = (.)
DEST_KEY=_TCP_ROUTING
FORMAT=indexer-2,indexer-1

Try and and see if that works.

Jacob
Sr. Technical Support Engineer

MAShawky
Explorer

solved now,, thanks alot 🙂

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...