Solved: How to forward the event of a specific index on th...

xsstest · ‎05-22-2017

I have a separate Splunk Enterprise instance, The 9997 port has been enabled to receive events from each host and set up their own index for them。For example: apache_access, secure ect .....

now , I want to convert it into a heavy forwarder and forwards these events to an indexer cluster.

So the question is coming，

How do I forward the event of a specific index on the heavy forwarder, （for example: apache_access） to the specified index of the indexer cluster (for example: web_apache_access)

Example:

apache_access (from heavy-forwarder) ————————>Forward TO ————>web_apache_access（indexer clustering）

xsstest · ‎05-26-2017

You only need to enable heavy-forwarder
As long as the heavy-forwarder and indexer clusters have the same index name.

For information on how to enable heavy forwarder, read the documentation: http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Deployaheavyforwarder

View solution in original post

xsstest · ‎05-26-2017

You only need to enable heavy-forwarder
As long as the heavy-forwarder and indexer clusters have the same index name.

For information on how to enable heavy forwarder, read the documentation: http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Deployaheavyforwarder

xsstest · ‎05-23-2017

Why no one answered the question?

How to forward the event of a specific index on the heavy forwarder to the specified index of another indexer?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?