Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Restrict Universal Forwarder to allowed indices

diconium
Explorer
‎10-23-2020 07:55 AM

We have some external third-party managed systems whose logs should be indexed using Universal Forwarder. As we do not have exclusive control over its configuration we need to ensure that those Forwarders don't add data to a wrong index. So we want to restrict them to some allowed indices.

Unfortunately I couldn't find any solution for this up to now. So how could this be achieved?

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-23-2020 09:23 AM

As @gcusello said the easiest way is to manage this with DS if you manage those in central place. If not then the only option is to use props.conf to ensure that those UFs use correct indexes and actually chances those based on events which they are sending.

r. Ismo

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-23-2020 08:06 AM

Hi @diconium,

let me understand:

  • you have systems that you don't manage,
  • those systems take logs using Universal Forwarders and send them to you Indexers,
  • you want to be sure that the logs go the correct indexes,

is this correct?

If thios is correct, only one question: do you manage configurations (apps) of these UFs using a Deployment Server, or not, in other words, how do you manage UFs configurations?

If yo'sing a Deployment Server, you haven't problems because you can check the addressing of the logs in the correct indexes, if instead you're using a different system to deploy configurations and you don't manage it, the only way if to create on indexers or (if present) on Heavy Forwarders, some index overridings as you can see at https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Filter_data_by_tar... .

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...