Getting Data In

How can I route two types of data to two different non-Splunk TCP ports?

nick405060
Motivator

Hi guys

I want to forward some of my data from my indexer to one port on our Rapid7 InsightIDR server, and some of my data to a second port on our Rapid7 InsightIDR server.

This is how I forwarded a subset of my data to one port (outputs.conf):

 [tcpout:rapidreader]
 server = IP:PORT
 sendCookedData = false

 [tcpout]
 defaultGroup = rapidreader
 indexAndForward = true
 forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

(and I also commented this out in the default outputs:)

#forwardedindex.0.whitelist = .*
#forwardedindex.1.blacklist = _.*
#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

This worked fine. But, how do I do this for two ports? You can't do the following because forwardedindex has to be in the global [tcpout].

[tcpout]
defaultGroup = rapidreader1,rapidreader2
indexAndForward = true

[tcpout:rapidreader1]
server = aserver:10012
sendCookedData = false
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

[tcpout:rapidreader2]
server = aserver:10013
sendCookedData = false
forwardedindex.0.blacklist = ^((?!asa).)*$
0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...