Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to configure a universal forwarder to clone data to two different indexes?

echalex
Builder
‎08-27-2015 02:22 AM

Hello,

We have a setup where we share some data with our partner, so we have set up two different groups in outputs.conf, call them ourGroup and theirGroup. Then in inputs.conf, we set the _TCP_ROUTING to send to both groups. So far, so good.

Now it transpires that our partner would prefer a different naming convention for the index. I've looked at props.conf and transforms.conf, but it doesn't seem possible to change the index name, based on the tcpout-group. I'm not even sure if this is available on the UF.

So option 1 is to have multiple stanzas in inputs.conf for each source, with a different _TCP_ROUTING in each stanza. So, will there be a performance hit on the host with the UF installed? Especially interested in the Windows event log facility and how this would cope with several input stanzas.

Option 2, I guess, is to implement this in the receiving indexers. Whether I want to do this, I'm not completely sure. It would probably have to be our indexers. Our partner would have to implement several stanzas in props.conf, based on the host.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎08-27-2015 04:31 AM

Hello

Option 1 won't work, you can't have multiple inputs to the same path, it will use only one of them.

The second option is the right one, leave the input without index configuration. And in the indexers use transforms to modify the index dynamically based on the sourcetype. See:

http://answers.splunk.com/answers/8531/routing-to-index-based-on-host-etc.html

Regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎08-27-2015 04:31 AM

Hello

Option 1 won't work, you can't have multiple inputs to the same path, it will use only one of them.

The second option is the right one, leave the input without index configuration. And in the indexers use transforms to modify the index dynamically based on the sourcetype. See:

http://answers.splunk.com/answers/8531/routing-to-index-based-on-host-etc.html

Regards

Reply
Solved! Jump to solution

echalex
Builder
‎08-27-2015 05:06 AM

Thanks! I guessed as much. An additional implied, but not articulated, question was: is there any way of doing this on the Universal Forwarder (using single stanzas)?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...