Splunk Enterprise Security

Cloning information and forwarding to another splunk indexer from a splunk indexer

troyfred
Explorer

Issue:
I am attempting to get a specific index from an internal splunk setup to an external one without clustering. Thus far I have been lead to believe that using indexandforward is the best option for this. I have 3 test systems sending their logs to the main index while one system is sending each WinEventLog log to their own index's security_logs, application_logs, etc, much like out client systems already are set to do. When I use the below setup with outputs.conf, transforms.conf and props.conf I get the WinEventLog:Security and System, and that is all (the Security being the only one I want to test), however for the one sending all their logs to individual indexes, I get EVERYTHING except those logs.

Current File:

outputs.conf
[tcpout]
defaultGroup = splunkinternal,splunkexternal
[tcpout:splunkexternal]
server = xx.xx.10.19:9997
[tcpout-server://xx.xx.10.19:9997]
[tcpout:splunkinternal]
server = xx.xx.1.6:9997
[tcpout-server://xx.xx.1.6:9997]

props.conf
[syslog]
TRANSFORMS-routing = routeSubset, routeAll

transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkinternal
[routeSubset]
REGEX=(WinEventLog|Security)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkexternal

Items desired:

Pull in specific indexes (index=security_logs) and only those specific indexes OR specify certain log files (WinEventLog:Security), without getting the others. Any assistance or links would be extremely helpful. See below for links I used to arrive where I am.

https://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Replicate_a_subset...
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor-----
https://answers.splunk.com/answers/448100/is-it-possible-to-index-and-forward-a-specific-sou.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...