Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If an indexer receives logs from a heavy forwarder is it able to forward a subset of data to another Indexer?

gcusello
SplunkTrust
SplunkTrust
‎01-08-2020 07:40 AM

Hi at all,
I have some Heavy Forwarders that receive data from some Universal Forwarders and take syslogs from some appliances.
HFs take these logs and forward all of them to an Indexer (Indexer_A) and all the flow runs correctly.

My problem is that I have to forward a part of these logs to another Splunk (Indexer_B) (I know that these logs are indexed two times!):
I configured Indexer_A as described in https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad but I receive in Indexer_B all the data of Indexer_A, also Splunk internal logs.
These are my configurations on Indexer_A

outputs.conf

[tcpout]
indexAndForward = 1

[tcpout:Indexer_B]
disabled = 0
server = 1.1.1.1:9997

props.conf

[WinEventLog:Security]
TRANSFORMS-routing=fw_win

transforms.conf

[fw_win]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Indexer_B

I'd like to forward only WinEventLog:Security logs but I receinve also other logs, also Splunk internal logs.

My question is: if Indexer_A receives logs from an Heavy Forwarder is it able to forward a subset of data to another Indexer or must I do this on HFs?
If it's possible what I'm doing wrong?

Ciao and thank you.
Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jarizeloyola
Path Finder
‎01-08-2020 09:19 PM

Based from my analysis, it's not working because the data is already cooked when it reaches indexer_A, so those props/transforms do nothing. Those props/transforms aren't executed on indexer_a at all, because the HF have parsed the data already, sent it to indexer_a as "cooked data", and therefore indexer_a will just put them to disk and skip it's local props/transforms.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎01-14-2020 03:31 PM

Wanted to confirm jarizeloyola answer, you need to do this at the source enterprise server or not pass the data through a HF at all!

You can re-cook data but it is unsupported and would not be a good idea on the indexing tier...

You might be able to use CLONE_SOURCETYPE at the HF and then route it with changes refer to:
https://answers.splunk.com/answers/556300/how-can-i-use-clone-sourcetype-to-send-a-cloned-mo.html

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution
Solution

jarizeloyola
Path Finder
‎01-08-2020 09:19 PM

Based from my analysis, it's not working because the data is already cooked when it reaches indexer_A, so those props/transforms do nothing. Those props/transforms aren't executed on indexer_a at all, because the HF have parsed the data already, sent it to indexer_a as "cooked data", and therefore indexer_a will just put them to disk and skip it's local props/transforms.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:32 PM

Hi @jarizeloyola,
thank you very much, for you help!
it's a liitation!.

Ciao and next time.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...