I have two data sources (Syslog and Netflow) which I am collecting on a dedicated host, where I have installed a Universal Forwarder. It is acting as an intermediate forwarder.
I have to route this data to Indexers of two different organisations on their respective indexes.
Because this routing is based on metadata, I believe, I should be able to achieve this using universal forwarder.
Can someone please advise how I can achieve this ?
_TCP_ROUTING setting in inputs conf works for your case. and you need to configure two tcpout indexer groups in outputs conf. Your config might look like as follows,
[monitor://<your_syslog_file_path>] index=indexA sourcetype=<syslog_st> _TCP_ROUTING = indexerA-group [monitor://<your_netflow_file_path>] index=indexA sourcetype=<netflow_st> _TCP_ROUTING = indexerA-group [monitor://<your_syslog_file_path>] index=indexB sourcetype=<syslog_st> _TCP_ROUTING = indexerB-group [monitor://<your_netflow_file_path>] index=indexB sourcetype=<netflow_st> _TCP_ROUTING = indexerB-group
[tcpout:indexerA-group] server=<indexerA-host>:9997 [tcpout:indexerB-group] server=<indexerB-host>:9997
An upvote would be appreciated and Accept solution if this reply helps!
@dm1 I too doubt about that as fishbucket ignores other monitors as duplicates just give a try! if not working then You might need HF to actually achieve in that case.
Can you follow this link - Solved: One source to two indexes - Splunk Community
An upvote would be appreciated if this reply helps!
From this link - https://docs.splunk.com/Documentation/Splunk/8.2.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... it seems possible to route to two different indexers, but my only main challenge is assigning two indexes to same source