Getting Data In

How do you forward active directory events to different Splunk Clusters?



I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).

Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:

  • Get just events with a specifics EventCode
  • Forward to the Splunk of the first company information about all domain
  • Forward to the Splunk of the second company information just about the second company OU

The configuration that I have (I don't know if it's OK)


disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$

I don't know how to apply whitelist2 just to company2 forwarding


server = company1indexer1.local:9997
server = company1indexer2.local:9997
server = company2indexer1.local:9997
server = company2indexer2.local:9997

If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?

Is it a problem that indexers of each Splunk uses different pass4SymmKey?

Is it a problem that each Splunk has a different index name for active directory logs?

A lot of thanks.

0 Karma


What you are trying to achieve will unfotunately not work with an Universal Forwarder. We are takling about event routing, which needs to happen on a Heavy Forwarder.

In your case, you would have to implement a routing transformation as follows:


TRANSFORMS-1-routing = route_by_company1
TRANSFORMS-2-routing = route_by_company2




Your outputs.conf can stay as is.

I am not 100% sure if I did all stanzas correctly, but you should get the basic idea of what needs to be done. Important step: you need a Heavy Forwarder for that. If you can't install a HF on the Domain Controller, you should consider intalling an additional HF as intermediate forwarder, and send all your DC traffic to this HF, and do the routing there.

A last option would be filtering out the unwanted events on the company2 indexers, by sending them to the nullQueue instead of indexing. This however would mean you have to send the traffic to both companies, which might be a compliance issue. But that's something you have to consider.

0 Karma


sounds like a fun splunk environment...i'm just going to comment, because I'm not certain of these answers.

It's been a while since i configured, outputs, but i think you want one server setting per stanza which would be a comma separated list of indexer/port, e.g. server = idx1:9997, idx2:9997, etc. The way you have it i think, splunk would just choose either or when processing....btool could probably confirm.

I think you can push all of the settings from one ds - there may be a way to push separate outputs but probably not worth it.

I don't think you have to worry about the pass4SymmKey, but any ssl configured for these? That might be tougher.

I'm not sure you can specify both indexes at input may have to pick an environment and use props transforms to point it at the right index upon arrival?

0 Karma


Thanks for your answer,

Which is the data flow between inputs, props, transform and outputs.conf?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...