Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send event from UF to multiple Heavy Forwarders and different indexers

randqm
Loves-to-Learn Everything
‎03-14-2023 05:36 AM

I have the following situation:

I have an universal forwarder that were sent logs to (HF1 and index=idx1)

Could you provide suggestions on how to configure this universal forwarder (UF) to send logs to both (HF1 and index=idx1) and (HF2 and index=idx2)?

Any insights or advice would be appreciated. Thank you.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2023 06:11 AM

Hi @randqm,

let me understand: do you want to send different logs to the two HFs or the same?

if the same, you have to configure the outputs.conf on the UF lke the following:

in outputs.conf:

[tcpout]
defaultGroup=HF1

[tcpout:HF1]
server=<ip_hf1>:9997

[tcpout:HF2]
server=<ip_hf2>:9997

in props.conf:

[default]
TRANSFORMS-routing=HF1

[syslog]
TRANSFORMS-routing=HF2

in transforms.conf

[HF1]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=HF1

[HF2]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=HF2

you can find more information at https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Routeandfilterdatad

if you have to send different sets of data, you have to change the regexes in transforms.conf to filter data to send to HFs.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-14-2023 08:20 AM

Remember that UFs don't do transforms unless you force_local_processing.

So it's better to set _TCP_ROUTING directly at input level.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-15-2023 01:35 AM

outputs.conf should be set as in @gcusello 's example but instead of props.conf and transforms.conf entries you just add

_TCP_ROUTING = HF1

or

_TCP_ROUTING = HF2

into input.conf stanzas depending on which output you want to point each data stream to.

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎03-21-2023 01:13 AM

How can I configure to send to different indexers

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎03-15-2023 12:42 AM

Thanks for the response
Do you can give me an example for the confs files?

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...