- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am planning to send the logs to multiple Splunk indexers (location) based on the logs type from one universal forwarder
example
server-1 myapp1.log -> indexer-South
myapp2.log -> indexer-south
myapp3.log -> indexer-east
myapp4.log - > indexer-east
server-2 myapp1.log -> indexer-South
myapp2.log -> indexer-south
myapp3.log -> indexer-east
myapp4.log - > indexer-east
can this be done? I would like some feedback how to do that.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
yes you can do this.
You need to create two output.conf stanzas
[tcpout:south]
server=server_south:9997
[tcpout:east]
server=server_east:9997
Then you need to do a TCP_routing in inputs.conf
[monitor://path/myapp1.log]
_TCP_ROUTING = south
[monitor://path/myapp3.log]
_TCP_ROUTING = east
Hope this helps. You have to create a input stanza for each log in this example. But can also do the matching via Regex to reduce the amount of input stanzas.
kind regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
yes you can do this.
You need to create two output.conf stanzas
[tcpout:south]
server=server_south:9997
[tcpout:east]
server=server_east:9997
Then you need to do a TCP_routing in inputs.conf
[monitor://path/myapp1.log]
_TCP_ROUTING = south
[monitor://path/myapp3.log]
_TCP_ROUTING = east
Hope this helps. You have to create a input stanza for each log in this example. But can also do the matching via Regex to reduce the amount of input stanzas.
kind regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect,thanks much TStrauch
