Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forward all data to third party Splunk using index

blake1987
Explorer
‎09-13-2020 02:16 AM

Hi,

I'm trying to forward all data received by one indexer to a third party Indexer, but rewriting the index for the data sent to the third party.

Everything is configured to come in from the UF's using specific index's (Such as WinEventLog). SplunkA indexes the data into those index's happily.

There is a requirement to forward all data to SplunkB, but to a dedicated index (Such as SubsidiaryIndex instead of WinEventLog). I was originally using IndexandForward in an outputs.conf, but the forwarded data includes the index set by the UF's.

The guide here is close to what I want to do, but I want it to forward all data, and rewrite the index - https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Replicate_a_subset... 

props.conf - Note: I feel like the default stanza is wrong, but I'm not sure how else to capture everything. Also, I've tried TRANSFORMS-routing and TRANSFORMS-forward...

 

[default]
TRANSFORMS-routing = routeAll

 

transforms.conf

 

[routeAll]
REGEX=(.)
DEST_KEY = _MetaData:Index
FORMAT = SubsidiaryIndex
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

 

outputs.conf

 

outputs.conf
[tcpout]
defaultGroup=nothing

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=169.254.153.83:9999

 

Any guidance would really be appreciated! 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 04:31 AM

ok no problem. have same outputs.conf on HF

in inputs.conf of HF:

 

[default]
_TCP_ROUTING = yourown,Subsidiary

you need to create multiple stanza for each sourcetype in windows index events.

[sourcetype]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = Doors

 

————————————
If this helps, give a like below.
0 Karma
Reply

blake1987
Explorer
‎09-13-2020 05:07 AM

Thanks @thambisetty , I see where you're going. The only issue is I need to re-write the index on the forwarded logs, instead of forwarding them with the index set on outputs.conf on the universal forwarder tagged them with.

 

I'm having a hard time explaining it clearly sorry. Something like this:

UF (Sets Index to Windows) --> IndexerA (Indexes to Index Windows, and forwards to IndexerB using index Doors) --> IndexerB (Indexes to Index Doors)

 

Thanks agian!

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 07:36 AM

@blake1987 

check my updated answer. hope you have understood how to parse. I have updated now how to change index.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 02:41 AM

have one more stanza in outputs.conf 

[tcpout]
defaultGroup=yourown

[tcpout:yourown]
server=ip:port

[tcpout:Subsidiary]
server=169.254.153.83:9999

inputs.conf : for example

[WinEventLog://Security]
_TCP_ROUTING = yourown,Subsidiary

 

everything from the client where the above configurations configured will be sent to defaultGroup. but WinEventLog://Security will be forwarded to default AND Subsidiary as well.

————————————
If this helps, give a like below.
0 Karma
Reply

blake1987
Explorer
‎09-13-2020 04:21 AM

Thanks @thambisetty 

 My problem is that I'm trying to forward all data, not just a single sorucetype from the Indexer/Heavy Forwarder. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...