Getting Data In

How do you forward active directory events to different Splunk Clusters?



I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).

Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:

  • Get just events with a specifics EventCode
  • Forward to the Splunk of the first company information about all domain
  • Forward to the Splunk of the second company information just about the second company OU

The configuration that I have (I don't know if it's OK)


disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$

I don't know how to apply whitelist2 just to company2 forwarding


server = company1indexer1.local:9997
server = company1indexer2.local:9997
server = company2indexer1.local:9997
server = company2indexer2.local:9997

If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?

Is it a problem that indexers of each Splunk uses different pass4SymmKey?

Is it a problem that each Splunk has a different index name for active directory logs?

A lot of thanks.

0 Karma


What you are trying to achieve will unfotunately not work with an Universal Forwarder. We are takling about event routing, which needs to happen on a Heavy Forwarder.

In your case, you would have to implement a routing transformation as follows:


TRANSFORMS-1-routing = route_by_company1
TRANSFORMS-2-routing = route_by_company2




Your outputs.conf can stay as is.

I am not 100% sure if I did all stanzas correctly, but you should get the basic idea of what needs to be done. Important step: you need a Heavy Forwarder for that. If you can't install a HF on the Domain Controller, you should consider intalling an additional HF as intermediate forwarder, and send all your DC traffic to this HF, and do the routing there.

A last option would be filtering out the unwanted events on the company2 indexers, by sending them to the nullQueue instead of indexing. This however would mean you have to send the traffic to both companies, which might be a compliance issue. But that's something you have to consider.

0 Karma


sounds like a fun splunk environment...i'm just going to comment, because I'm not certain of these answers.

It's been a while since i configured, outputs, but i think you want one server setting per stanza which would be a comma separated list of indexer/port, e.g. server = idx1:9997, idx2:9997, etc. The way you have it i think, splunk would just choose either or when processing....btool could probably confirm.

I think you can push all of the settings from one ds - there may be a way to push separate outputs but probably not worth it.

I don't think you have to worry about the pass4SymmKey, but any ssl configured for these? That might be tougher.

I'm not sure you can specify both indexes at input may have to pick an environment and use props transforms to point it at the right index upon arrival?

0 Karma


Thanks for your answer,

Which is the data flow between inputs, props, transform and outputs.conf?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!