Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forward all data to third party Splunk using index

blake1987
Explorer
‎09-13-2020 02:16 AM

Hi,

I'm trying to forward all data received by one indexer to a third party Indexer, but rewriting the index for the data sent to the third party.

Everything is configured to come in from the UF's using specific index's (Such as WinEventLog). SplunkA indexes the data into those index's happily.

There is a requirement to forward all data to SplunkB, but to a dedicated index (Such as SubsidiaryIndex instead of WinEventLog). I was originally using IndexandForward in an outputs.conf, but the forwarded data includes the index set by the UF's.

The guide here is close to what I want to do, but I want it to forward all data, and rewrite the index - https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Replicate_a_subset... 

props.conf - Note: I feel like the default stanza is wrong, but I'm not sure how else to capture everything. Also, I've tried TRANSFORMS-routing and TRANSFORMS-forward...

 

[default]
TRANSFORMS-routing = routeAll

 

transforms.conf

 

[routeAll]
REGEX=(.)
DEST_KEY = _MetaData:Index
FORMAT = SubsidiaryIndex
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

 

outputs.conf

 

outputs.conf
[tcpout]
defaultGroup=nothing

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=169.254.153.83:9999

 

Any guidance would really be appreciated! 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 04:31 AM

ok no problem. have same outputs.conf on HF

in inputs.conf of HF:

 

[default]
_TCP_ROUTING = yourown,Subsidiary

you need to create multiple stanza for each sourcetype in windows index events.

[sourcetype]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = Doors

 

————————————
If this helps, give a like below.
0 Karma
Reply

blake1987
Explorer
‎09-13-2020 05:07 AM

Thanks @thambisetty , I see where you're going. The only issue is I need to re-write the index on the forwarded logs, instead of forwarding them with the index set on outputs.conf on the universal forwarder tagged them with.

 

I'm having a hard time explaining it clearly sorry. Something like this:

UF (Sets Index to Windows) --> IndexerA (Indexes to Index Windows, and forwards to IndexerB using index Doors) --> IndexerB (Indexes to Index Doors)

 

Thanks agian!

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 07:36 AM

@blake1987 

check my updated answer. hope you have understood how to parse. I have updated now how to change index.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-13-2020 02:41 AM

have one more stanza in outputs.conf 

[tcpout]
defaultGroup=yourown

[tcpout:yourown]
server=ip:port

[tcpout:Subsidiary]
server=169.254.153.83:9999

inputs.conf : for example

[WinEventLog://Security]
_TCP_ROUTING = yourown,Subsidiary

 

everything from the client where the above configurations configured will be sent to defaultGroup. but WinEventLog://Security will be forwarded to default AND Subsidiary as well.

————————————
If this helps, give a like below.
0 Karma
Reply

blake1987
Explorer
‎09-13-2020 04:21 AM

Thanks @thambisetty 

 My problem is that I'm trying to forward all data, not just a single sorucetype from the Indexer/Heavy Forwarder. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...