Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to send the same data to 2 different instances, one in the cloud and one on prem, to different indexes?

dingra
Loves-to-Learn
‎11-21-2022 04:48 PM

We have a tool that writes to a cloud splunk indexer, but we are trying to migrate to a onprem system. The current system requires that we write to both at the same time, but unfortunately both indexers have setup different index names for the data.

I've tried updating the files created by the spl install with the new tcp, but this solution seems to ignore one or the other index causing issues on the indexer in question. I've also tried having them as 2 different setups in the app directory, but then only one of the indexer receives information while the other is ignored.

Is there a way to send the same data to 2 different instances, one in the cloud and one on prem, with each expecting a different index?

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2022 11:51 PM

Hi @dingra,

you have to configure on your forwarder outputs.conf to duplicate logs sending to both the instances, for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.2/Forwarding/Routeandfilterdatad

Then on the On prem system, ion Indexer, of if present on Heavy Forwarder, you have to override the index value, adding these two conf files:

props.conf:

[mysourcetype]
TRANSFORMS-index = overrideindex

transforms.conf

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index

Ciao.

Giuseppe

0 Karma
Reply

dingra
Loves-to-Learn
‎11-22-2022 04:13 PM

Would it be possible to implement this on the cloud indexer? I have more ready access there.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-22-2022 11:42 PM

Hi @dingra,

if you're speaking of a private cloud, so you can access your indexers using SSH, you can do it: it's the same thing; it's different is you're speaking of Splunk Cloud, because you cannot access them.

Put attention to one point: filter must be located on Indexers if you haven't intermediate Heavy Forwarders.

if you have them (and this is usual with cloud architectures), you must put these conf files on HFs.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...