Getting Data In

How can I route two types of data to two different non-Splunk TCP ports?

nick405060
Motivator

Hi guys

I want to forward some of my data from my indexer to one port on our Rapid7 InsightIDR server, and some of my data to a second port on our Rapid7 InsightIDR server.

This is how I forwarded a subset of my data to one port (outputs.conf):

 [tcpout:rapidreader]
 server = IP:PORT
 sendCookedData = false

 [tcpout]
 defaultGroup = rapidreader
 indexAndForward = true
 forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

(and I also commented this out in the default outputs:)

#forwardedindex.0.whitelist = .*
#forwardedindex.1.blacklist = _.*
#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

This worked fine. But, how do I do this for two ports? You can't do the following because forwardedindex has to be in the global [tcpout].

[tcpout]
defaultGroup = rapidreader1,rapidreader2
indexAndForward = true

[tcpout:rapidreader1]
server = aserver:10012
sendCookedData = false
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

[tcpout:rapidreader2]
server = aserver:10013
sendCookedData = false
forwardedindex.0.blacklist = ^((?!asa).)*$
0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...