Getting Data In

How can I route two types of data to two different non-Splunk TCP ports?

nick405060
Motivator

Hi guys

I want to forward some of my data from my indexer to one port on our Rapid7 InsightIDR server, and some of my data to a second port on our Rapid7 InsightIDR server.

This is how I forwarded a subset of my data to one port (outputs.conf):

 [tcpout:rapidreader]
 server = IP:PORT
 sendCookedData = false

 [tcpout]
 defaultGroup = rapidreader
 indexAndForward = true
 forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

(and I also commented this out in the default outputs:)

#forwardedindex.0.whitelist = .*
#forwardedindex.1.blacklist = _.*
#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

This worked fine. But, how do I do this for two ports? You can't do the following because forwardedindex has to be in the global [tcpout].

[tcpout]
defaultGroup = rapidreader1,rapidreader2
indexAndForward = true

[tcpout:rapidreader1]
server = aserver:10012
sendCookedData = false
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

[tcpout:rapidreader2]
server = aserver:10013
sendCookedData = false
forwardedindex.0.blacklist = ^((?!asa).)*$
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...