Getting Data In

How can I route two types of data to two different non-Splunk TCP ports?

nick405060
Motivator

Hi guys

I want to forward some of my data from my indexer to one port on our Rapid7 InsightIDR server, and some of my data to a second port on our Rapid7 InsightIDR server.

This is how I forwarded a subset of my data to one port (outputs.conf):

 [tcpout:rapidreader]
 server = IP:PORT
 sendCookedData = false

 [tcpout]
 defaultGroup = rapidreader
 indexAndForward = true
 forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

(and I also commented this out in the default outputs:)

#forwardedindex.0.whitelist = .*
#forwardedindex.1.blacklist = _.*
#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

This worked fine. But, how do I do this for two ports? You can't do the following because forwardedindex has to be in the global [tcpout].

[tcpout]
defaultGroup = rapidreader1,rapidreader2
indexAndForward = true

[tcpout:rapidreader1]
server = aserver:10012
sendCookedData = false
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

[tcpout:rapidreader2]
server = aserver:10013
sendCookedData = false
forwardedindex.0.blacklist = ^((?!asa).)*$
0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...