Hello,
I work in a department where there's multiple independent instances of splunk setup. We have need to send specific sourcetypes to multiple indexers. I understand this will be a double hit on our individual licenses that's why we want to limit the duplicate ingestion to only specific sourcetypes.
So sourcetypes abc will be sent to indexer1 and indexer2. Indexer1 and indexer2 are in totally different environments (separate licenses).
I'm assuming this can be accomplished on the universal forwarder by using multiple target groups and modifying the inputs.conf files of the sourcetypes I need duplicated with tcp routing?
Please let me know if this is the best way to do this or is there a better approach
there are many answers on how to do it see here:
https://answers.splunk.com/answers/633477/how-to-forward-same-data-to-two-different-indexers.html
https://answers.splunk.com/answers/481742/how-can-we-send-data-to-2-different-groups-of-inde.html
in docs it described in detail:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Outputsconf#outputs.conf.example
scroll down to find the right example
there are many answers on how to do it see here:
https://answers.splunk.com/answers/633477/how-to-forward-same-data-to-two-different-indexers.html
https://answers.splunk.com/answers/481742/how-can-we-send-data-to-2-different-groups-of-inde.html
in docs it described in detail:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Outputsconf#outputs.conf.example
scroll down to find the right example
Not exactly an answer, but is it not possible to combine all these individual instances into one, and then use RBAC to grant access to data as needed?
It's definitely possible to combine as one environment but not what we're looking to do.
Any particular reason why you don't want to make this a simpler deployment?
We're not allowed to combine into one environment for various reasons (policy related) hence the point of me going down this path. If I could combine environments this would be an easier solution no doubt.
That's a shame