hi there,
I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:
[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2
Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.
So I need to change my index on indexers or on heavy forwarders. How can I do this?
##########
I've tried this on indexer:
props.conf
[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change
transforms.conf
[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b
SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.
So my inputs.conf is like this:
[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security
_TCP_ROUTING=group a, group b
SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.
So my inputs.conf is like this:
[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security
_TCP_ROUTING=group a, group b
Can you share the outputs.conf configuration?
I need that configuration to understand the forwarder routing
On tre Forwarder the outputs.conf is like this:
[tcpout:groupA]
server=indexer1:9997
[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997
above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster