How can I get a Splunk instance to index data and ...

Splunk Enterprise

Hello,

I have two standalone Splunk instances, Splunk A and Splunk B. Splunk A has a scripted input that runs on a cron schedule and indexes results. What I am trying to do is have Splunk A send that same data to Splunk B so that it is indexed again (yes I know it's redundant and doubles license usage).

I have studied examples here https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Routeandfilterdatad and have managed to get half way: Splunk A sends the data to Splunk B where it is indexed, but does not index the data itself. Here are my config files:

props.conf

[splunk_a_sourcetype]
...
TRANSFORMS-defaultRouting=defaultRouting
TRANSFORMS-secondaryRouting=secondaryRouting

transforms.conf

[defaultRouting]
REGEX=.
DEST_KEY=queue
FORMAT=indexQueue

[secondaryRouting]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=secondaryGroup

outputs.conf

[tcpout:secondaryGroup]
server=dns.for.splunk.b:9997

What am I missing so that Splunk A will index the events as well as forward them to Splunk B?

Thanks!

Andrew

Get Updates on the Splunk Community!

How can I get a Splunk instance to index data and forward that same data to another Splunk instance?

administration

configuration

troubleshooting

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?