How to send specific logs to another heavy Forward...

shimab11 · ‎08-06-2023

Hi all,

I want to send specific logs from one Heavy Forwarder to another heavy Forwarder. I don't want to send a full logs i just need to send One of sourcetypes to another Heavy Forwarder.Version of splunk is 9.0.4

How can I do that?

Thx.

gcusello · ‎08-07-2023

Hi @shimab11,

you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.0/Forwarding/Routeandfilterdatad#Filter_and_route_e...

In few words, on the first HF you have to modify:

outputs.conf: adding both the destination and giving to each of them a logical name to use in transforms.conf,
props.conf: adding a transformation to the sourcetype to send,
transforms.conf: adding the tranformation that define where to send data.

In my experience, sometimes it doesn't run so you have to add "_TCP_ROUTING = seconf_HF_group_name" to your inputs.conf

Ciao.

Giuseppe

isoutamo · ‎08-06-2023

Hi

You need to setup two output groups on HF. Then use props and transforms conf to select target group based on event content or source. There are several examples on community and docs are described how to do it.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

r. Ismo

How to send specific logs to another heavy Forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation