Installation

How to input data into: Multiple enterprise instances (different indexer & index configuration via Universal Forwarder

Engager

I am trying to install a newer version of Splunk enterprise.
As part of this, I want the universal forwarders to forward data to both new and old Splunk enterprise - Indexer masters.

Is there a way to do it?
The new Splunk will have different indexes configured, while the old Splunk should not get affected which has its own indexes.

I read about 2 options
1. Multiple UF on the same machine (this is not supported by Splunk)
2. Cloning data in 

transforms.conf

and sending the cloned data to new Splunk, to the index I want.

Labels (2)
0 Karma

Engager

Can anyone confirm if the below will work?

I have created a new index = test_index in SPLUNK 2 (new)

In the master-apps I have added transforms and props asking to override the data coming in and assigning to the new index.
transforms.conf
[test_index]
REGEX= Have to create appropriate regex for # optional as it is . By default, and I want all data to go to new index
FORMAT = test_index# index name to which we are sending data
DEST_KEY = MetaData:Index # specifying to store the value in FORMAT as index name

props.conf
[host:: abc.cdef.rr]
TRANSFORMS-index = test_index

I will have to add more in props.conf as I add the hosts. Please share thoughts. Much appreciated
Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!