Getting Data In

Send Windows Event Log Info To 2 Different Indexers

chrisbutcher
New Member

We have a strange set up in my company whereby we have separate application support team and infrastructure teams that have different requirements. For security and compliance reasons we cannot have both teams accessing the data on both Indexers.

What we would like to know is if it is possible to index a windows event log to 2 different indexers. The same information needs to sent to both indexers.

So as an example, on Server_A we would like to send all event log data to Indexer_A and all data to Indexer_B, ensuring the same data is sent to both Indexers.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can set up data cloning by specifying multiple target groups in outputs.conf:

[tcpout]
defaultGroup = groupA, groupB

[tcpout:groupA]
server=a.a.a.a:9997

[tcpout:groupB]
server=b.b.b.b:9997

http://docs.splunk.com/Documentation/Splunk/6.1.1/Admin/outputsconf

martin_mueller
SplunkTrust
SplunkTrust

I don't think that'd be easy to do on a Universal Forwarder, I could be wrong there of course.

One way that would certainly work is to have Indexer B rewrite incoming events destined for Index A into Index B.

0 Karma

chrisbutcher
New Member

That works great thanks. Was in the right area with a second group, but didnt specifiy it in the default group stanza.

This has however thrown up a further question. The 2 indexes on the indexers have different names. In one of the deployed apps we specify an index name for the data and this overwrites the default index name used.

So we now have eventlogs going to 2 different indexers but it is looking for the same index on each Server.

Can I configure it so as to send to Index_A on Server_A and Index_B on Server_B?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...