Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to index locally and forward a specific sourcetype

sylbaea
Communicator
‎11-22-2017 11:17 PM

Hello,

When events with a specific sourcetype arrive on my indexers, I would like to have both local indexing (default for any kind of sourcetype) but also forward them to another Splunk indexer.

So far I got this... It does properly forward this sourcetype to the external indexer.
But no longer index the events locally.

outputs.conf
[tcpout:externalIndexer]
server = external_indexer:9997

props.conf
[SourceTypeToForward]
TRANSFORMS-routing = sendToExternalIndexer

transforms.conf
[sendToExternalIndexer]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = externalIndexer

How can I enhance this config to have both ?

0 Karma
Reply
1 Solution
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-23-2017 12:53 AM

Hi sylbaea,
see at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad the part "Perform selective indexing and forwarding"
in details for locally index logs and forward a part of them you have to:
In outputs.conf, add the [indexAndForward] stanza:

[indexAndForward]
index=true
selectiveIndexing=true

Note: This is a global stanza, and only needs to appear once in outputs.conf.
Include the target group stanzas for each set of receiving indexers:

[tcpout:<target_group>]
server = <ip address>:<port>, <ip address>:<port>, ...
...

The forwarder uses the named in inputs.conf to route the inputs.

In inputs.conf, add the _INDEX_AND_FORWARD_ROUTING setting to the stanzas of each input that you want to index locally:

[input_stanza]
_INDEX_AND_FORWARD_ROUTING=<any_string>
...

Add the _TCP_ROUTING setting to the stanzas of each input that you want to forward:

[input_stanza]
_TCP_ROUTING=<target_group>
...

The is the name used in outputs.conf to specify the target group of receiving indexers.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

sylbaea
Communicator
‎11-23-2017 12:20 AM

Thanks. I had a look already to this but it is unclear to me how it could apply to my case.

0 Karma
Reply
Solved! Jump to solution

jbarlow_splunk
Splunk Employee
Splunk Employee
‎11-23-2017 12:35 AM

It has an example as well..

Perform selective indexing and forwarding

With a heavy forwarder only, you can index and store data locally, as well as

forward the data onwards to a receiving indexer. There are two ways to do

this:

1. In outputs.conf:

[tcpout]
defaultGroup = indexers

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout:indexers]
server = 10.1.1.197:9997, 10.1.1.200:9997

2. In inputs.conf, Add _INDEX_AND_FORWARD_ROUTING for any data that you want

index locally, and

_TCP_ROUTING= for data to be forwarded.

[monitor:///var/log/messages/]
_INDEX_AND_FORWARD_ROUTING=local

[monitor:///var/log/httpd/]
_TCP_ROUTING=indexers

0 Karma
Reply
Solved! Jump to solution

sylbaea
Communicator
‎11-23-2017 12:40 AM

I got your point. Thanks 🙂
Will test

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...