Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Selective forwarding and overrride destination sourcertype and index

adityapavan18
Contributor
‎08-05-2012 12:49 AM

I have a setup where syslog feed is received by a heavy forwarder on udp port. Syslog feed on that particular udp port has sourcetype=syslog_feed and index=syslog_index . And from there i have to route the syslog feed to Actual Indexers.

Now what configuration changes i have to make to forward the data with sourcetype=sl_feed and destination index=sl_index .

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-13-2012 03:49 AM

Hi there,

If you use a Heavy forwarder, you should set the correct sourcetype and index there straight away, since a Heavy forwarder will perform the input and parsing phases. Therefore you should edit the inputs.conf on the Heavy forwarder to the values you want, i.e. sl_feed and sl_index.

For more information on what configuration goes where, see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Configurationparametersandthedatapipeline or
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...