How to input data into: Multiple enterprise instan...

soumyajk · ‎05-17-2018

I am trying to install a newer version of Splunk enterprise.
As part of this, I want the universal forwarders to forward data to both new and old Splunk enterprise - Indexer masters.

Is there a way to do it?
The new Splunk will have different indexes configured, while the old Splunk should not get affected which has its own indexes.

I read about 2 options
1. Multiple UF on the same machine (this is not supported by Splunk)
2. Cloning data in

transforms.conf

and sending the cloned data to new Splunk, to the index I want.

soumyajk · ‎05-23-2018

Can anyone confirm if the below will work?

I have created a new index = test_index in SPLUNK 2 (new)

In the master-apps I have added transforms and props asking to override the data coming in and assigning to the new index.
transforms.conf
[test_index]
REGEX= Have to create appropriate regex for # optional as it is . By default, and I want all data to go to new index
FORMAT = test_index# index name to which we are sending data
DEST_KEY = MetaData:Index # specifying to store the value in FORMAT as index name

props.conf
[host:: abc.cdef.rr]
TRANSFORMS-index = test_index

I will have to add more in props.conf as I add the hosts. Please share thoughts. Much appreciated
Thanks

How to input data into: Multiple enterprise instances (different indexer & index configuration via Universal Forwarder

indexer

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?