Getting Data In

How can I route two types of data to two different non-Splunk TCP ports?


Hi guys

I want to forward some of my data from my indexer to one port on our Rapid7 InsightIDR server, and some of my data to a second port on our Rapid7 InsightIDR server.

This is how I forwarded a subset of my data to one port (outputs.conf):

 server = IP:PORT
 sendCookedData = false

 defaultGroup = rapidreader
 indexAndForward = true
 forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

(and I also commented this out in the default outputs:)

#forwardedindex.0.whitelist = .*
#forwardedindex.1.blacklist = _.*
#forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

This worked fine. But, how do I do this for two ports? You can't do the following because forwardedindex has to be in the global [tcpout].

defaultGroup = rapidreader1,rapidreader2
indexAndForward = true

server = aserver:10012
sendCookedData = false
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$

server = aserver:10013
sendCookedData = false
forwardedindex.0.blacklist = ^((?!asa).)*$
0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...