Installation

How to input data into: Multiple enterprise instances (different indexer & index configuration via Universal Forwarder

soumyajk
Engager

I am trying to install a newer version of Splunk enterprise.
As part of this, I want the universal forwarders to forward data to both new and old Splunk enterprise - Indexer masters.

Is there a way to do it?
The new Splunk will have different indexes configured, while the old Splunk should not get affected which has its own indexes.

I read about 2 options
1. Multiple UF on the same machine (this is not supported by Splunk)
2. Cloning data in 

transforms.conf

and sending the cloned data to new Splunk, to the index I want.

Labels (2)
0 Karma

soumyajk
Engager

Can anyone confirm if the below will work?

I have created a new index = test_index in SPLUNK 2 (new)

In the master-apps I have added transforms and props asking to override the data coming in and assigning to the new index.
transforms.conf
[test_index]
REGEX= Have to create appropriate regex for # optional as it is . By default, and I want all data to go to new index
FORMAT = test_index# index name to which we are sending data
DEST_KEY = MetaData:Index # specifying to store the value in FORMAT as index name

props.conf
[host:: abc.cdef.rr]
TRANSFORMS-index = test_index

I will have to add more in props.conf as I add the hosts. Please share thoughts. Much appreciated
Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...