Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index internal logs locally and forward all other logs

k31453
Explorer
‎11-24-2020 09:42 PM

As title suggest, i want to index internal logs only and forwards all other logs to forwarders or idxs.

Here is the setup :

  • I have one cluster and three indexes setup seperately outside cluster.
  • Cluster has CM, SH and three indexers.
  • Those Three indexers i want to use as Heavy forwarder to send all logs out to external indexes

Following is default output.conf:

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup)
forwardedindex.filter.disable = false
indexAndForward = false

Here is what I have done outputs.conf

 

[tcpout]
defaultGroup=noforward
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:forwarders]
server:<forwarders>:9997

 

 

 
Below is my props.conf

 

 

[default]
TRANSFORMS-forwardit = forwardit

[host::*.foo.splunk.com]
TRANSFORMS-routing = indexing

 

 


Below is transforms.conf

 

 

[forwardit]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = forwarders

[indexing]
REGEX = .
DEST_KEY = _INDEX_AND_FORWARD_ROUTING
FORMAT = local

 

 

 
Essentially all internal indexes should stay within cluster indexes but rest of index or logs forwarded to external indexes.

Labels (2)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-25-2020 10:57 PM

@k31453 

I believe you are looking for below: Note: you can only index _internal logs using this method.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Selective_indexing...

 

————————————
If this helps, give a like below.
0 Karma
Reply

k31453
Explorer
‎11-26-2020 04:48 PM

Well. This tells me i have to use inputs.conf to ensure routing. By default I want to forward logs. But if i see internal logs i will index it and not forward it. This basically is telling me i have to put _INDEX_AND_FORWARD_ROUTING on all internal inputs.conf this can cause the issue. 

0 Karma
Reply

k31453
Explorer
‎11-25-2020 04:21 PM

For me by default i want to forward new indexes created and internal indexes has to be indexed locally. My thoughts is , setup tcpgroup for forwarders and in outputs.conf and inputs.conf i should modify but not sure how.

0 Karma
Reply

k31453
Explorer
‎11-25-2020 03:57 PM

Hi, if the intention is to index all internal indexes, i have set _INDEX_AND_FORWARD_ROUTING and 

_TCP_ROUTING which can cause the issue.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-24-2020 10:06 PM

@k31453 

The Splunk Doc is very much detailed on the question you have asked. check it out using below link.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_...

————————————
If this helps, give a like below.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...