Getting Data In

I am not able to send logs to 2 different indexer

saramamurthy_sp
Splunk Employee
Splunk Employee

I have a setup, where I have one production indexer and another one is development indexer. I want all the data to be flown into production and specific set of data to be flown into development indexer.

THe splunk architecture is UF>HF> IDX.

I see that one source type( ping:directory) is able to send the data to both the indexer, while the other one(inventory:a10) is sending data only to production not into development.

There are 2 indexers which are in a different cluster environment.
Indexer1 : Lewisville_Indexers
Indexer2 : DevIndexer

These are the configurations set up we have made on our environment.

UF : inputs.conf

[monitor:///opt/csv/a10/*.csv]
disabled = 0
index = inventory
sourcetype = inventory:a10
crcSalt =
initCrcLength = 1048576

[monitor:///u1/ds/logs/access]
sourcetype=ping:directory
index=ti_directory
disabled = 0

HF : props.conf

[ping:directory]
TRANSFORMS-routing=SecOps_Prod_Dev

[inventory:a10]
TRANSFORMS-routing=SecOps_Prod_Dev

Transforms.conf

[SecOps_Prod_Dev]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=Lewisville_Indexers,DevIndexers

output.conf

[tcpout]
defaultGroup = Lewisville_Indexers,DevIndexers

Tags (1)
0 Karma

jpalacian
Path Finder
0 Karma

saramamurthy_sp
Splunk Employee
Splunk Employee

I would like to send it to 2 different indexers not index.

I see that one of the source type is going to production indexer but not on the development indexer. Though I have one of the other source type going to both with the same configuration, So i am little confused with this.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...