Hi dottom

well basicly an indexer can do the same filtering/routing of data like a forwarder. here is a post about how to configure forwarder to send different information to 2 different indexers

so your indexer can be setup to filter data to different indexes or forward any data to 3rd party systems.

regrads

My scenario is different in that I don't want to filter out events from being indexed. What I want to do is filter events to be forwarded, i.e. do not forward some events (only index it), forward specific sourcetype to remoteHostA, forward specific REGEX string to remoteHostB, etc.

The scenario:

• A single inputs.conf stanza receives logs from 100 different systems.

• I want to index all of them (using "indexAndForward" and _INDEX_AND_FORWARD_ROUTING in each input stanza).

• But I want to selectively forward some logs to some other log consumer devices (using props.conf and transforms.conf, which does not work for "indexAndForward").

I don't want to just forward using LWF/HF/UF which is very flexible to customize using props.conf and transforms.conf. This is a "index and selectively forward" approach.

As a kludge, I've considered running both a forwarder and index instance (two Splunk instances) and have the forwarder forward locally what I want indexed, and forward remotely what I want sent off to other log collection devices. But I really don't want to run two Splunk instances just to have flexible filtering capability for a "index and forward" design.

Hi dottom

either take a look here:
http://splunk-base.splunk.com/answers/1888/how-do-i-configure-splunk-to-filter-out-events-i-dont-wan...

or read the docs here:
http://www.splunk.com/base/Documentation/4.2.1/Deploy/Routeandfilterdatad

both is working as designed, but be aware about this here:
http://splunk-base.splunk.com/answers/13139/wineventlogsecurity-filtering-does-not-work

I just run into this bug last week. but as said, beside this, all is working like in the docs written.

regards