Getting Data In

Solved: Same log different indexers and index

biagiodipalma
Explorer

hi there,

I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:

 

 

[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2

 

 

Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.

So I need to change my index on indexers or on heavy forwarders. How can I do this?

##########
I've tried this on indexer:
props.conf

 

 

[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change

 

 

transforms.conf

 

 

[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b

 

 

 

0 Karma
1 Solution

biagiodipalma
Explorer

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

View solution in original post

0 Karma

biagiodipalma
Explorer

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

0 Karma

aasabatini
Motivator

Hi @biagiodipalma 

Can you share the outputs.conf configuration?

I need that configuration to understand the forwarder routing

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

biagiodipalma
Explorer

On tre Forwarder the outputs.conf is like this:

[tcpout:groupA]
server=indexer1:9997

[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997

 

above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...