Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs to local Hfs if on corp network else send to Cloud

rene_securelink
Engager
‎08-28-2019 05:01 AM

Laptop sends log to local HFs if connected to corp network - otherwise send logs to Splunk Cloud.
Data should not end up redundant on the indexers.

Is it possible to have this configured?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2019 06:11 AM

Hi rene_securelink,
I don't know if could be acceptable for you, but if you could configure outputs.conf of your Laptop's Forwarder to send logs both to HFs and Splunk Cloud.
In this way, you send to Splunk Cloud when you're aren't connected to the corp network and to the HFs and Splunk Cloud when you're connected to the corp network.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-01-2019 01:26 PM

The easiest way is to have both the HFs and the cloud indexers in your outputs.conf. The problem with this is that it does not prefer the HFs over cloud.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-01-2019 01:27 PM

Pretty much anything else is going to result in logs both places at least sometimes.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2019 06:11 AM

Hi rene_securelink,
I don't know if could be acceptable for you, but if you could configure outputs.conf of your Laptop's Forwarder to send logs both to HFs and Splunk Cloud.
In this way, you send to Splunk Cloud when you're aren't connected to the corp network and to the HFs and Splunk Cloud when you're connected to the corp network.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

rene_securelink
Engager
‎08-30-2019 04:11 AM

Hi Giuseppe,
Thanks for the answer - one question if using 2 groups.
For Cloud there is an certificate to be used. Could that not cause an issue for the internal HFs as it will not be the same?
Or will each group use it's own certificate?

[tcpout]
defaultgroup = internalhf

[tcpout:internalhf]
server = hf1,hf2
sslCertpath = xyz
sslRootCApath = xyz
sslPassword = xyz

[tcpout:cloud]
server = cloud1,cloud2
sslCertpath = abc
sslRootCApath = abc
sslPassword = abc

Thanks in advance
René

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2019 05:39 AM

Hi rene_securelink,
in the same outputs.conf you have to merge two configuration:

  • one for cloud,
  • one for HFs.

in each section you have to use the options that you're already using: in other words, if you use SSL you have to use, if not you don't need.

you can have more certificates.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2019 12:03 AM

Hi rene_securelink,
if this answer satisfies your need, please accept and/or upvote it.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎08-28-2019 06:54 AM

Yes ! And combine that with strict IP filters on the inputs for both the HF and splunk cloud receiving end 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...