Splunk Enterprise

Forwarding and cloning specific index's to a third party splunk indexer

troyfredmsit
New Member
If a party decided to split all events into their own index's (IE. winevent_security to "security", winevernt_application to "application" etc), but then they had a third party security group that needed specific index's (in this case just the security index). How would one set it up to where that index still goes to the main splunk for the company but ONLY that log goes to the third party splunk as well. The idea is to use a heavy forwarder, but I am not sure how to specify the index. Right now I have all index's going to both but that is not a solution that everyone is comfortable with. Any help would be amazing.
0 Karma

FritzWittwer
Path Finder

it can be done, see Forwarding/Route and filter data  and CLONE_SOURCETYPE in Transforms.conf . But be warned, it becomes complicated and cumbersome if your rule set is large. You may look into Splunk Data Stream Processor, DSP or also a certain third party product, for a solution which scales.

0 Karma

gjanders
SplunkTrust
SplunkTrust

props.conf:

[thesourcetype]
TRANSFORMS-route = route_to_third_party


transforms.conf:

[route_to_third_party]
SOURCE_KEY = _MetaData:Index
REGEX = ^(winevent)$
DEST_KEY=_TCP_ROUTING
FORMAT = mysplunkinstance, thirdpartyinoutputsconf


Perhaps?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...