Splunk Enterprise

forward MAIN index from an indexer

Explorer

Hi,

we are tring to forward only the MAIN index from an indexer to a third-party systems using TCP.
I've seen the documentation (Forward data to third-party systems/Route and filter data) and some community articles.

Unfortunatly we still get other indexes (e.g. fortinet) forwarded also. Any idea what we make wrong ?

The last try from the ..\system\local\outputs.conf:

## 21.6.2020
[tcpout]
defaultGroup = slms
indexAndForward = true
forwardedindex.0.whitelist =
#forwardedindex.1.blacklist = (_.*|fortinet)
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.0.whitelist = main
forwardedindex.filter.disable = false

#[indexAndForward]
#index=true

[tcpout:slms]
server = 192.168.249.140:514
sendCookedData = false
blockOnCloning = false
#forwardedindex.0.whitelist =
#forwardedindex.1.blacklist =
#forwardedindex.2.whitelist =
#forwardedindex.2.whitelist = main
#forwardedindex.filter.disable = false
#

Labels (1)
0 Karma
1 Solution

Explorer

I found a solution to forward a sourcetype only. But as we use TCP, the Indexer stopps/pauses indexing as soon as the receiver is not responding. I'm working on this now ...

props.conf

[security-audit]

TRANSFORMS-security-audit = send_to_syslog

#

 transforms.conf

[send_to_syslog]

REGEX = .

DEST_KEY = _SYSLOG_ROUTING

FORMAT = syslog_slms

#

 output.conf

[syslog:syslog_slms]

server = <IP>:10514

type = tcp

#

View solution in original post

0 Karma

Influencer

Attribute forwardedindex only works under tcpout stanza. Try this.

[tcpout]
defaultGroup = slms
indexAndForward = true
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = main
forwardedindex.filter.disable = false

[tcpout:slms]
server = 192.168.249.140:514
sendCookedData = false
blockOnCloning = false

0 Karma

Explorer

It's still the same. Data not from the MAIN index  get's forwarded also. I forgot to say, we have a 2 node indexer cluster and for testing only one is configured as shown may this has any side effect ?

0 Karma

Explorer

I've opend a case at Splunk support.

0 Karma

Explorer

I found a solution to forward a sourcetype only. But as we use TCP, the Indexer stopps/pauses indexing as soon as the receiver is not responding. I'm working on this now ...

props.conf

[security-audit]

TRANSFORMS-security-audit = send_to_syslog

#

 transforms.conf

[send_to_syslog]

REGEX = .

DEST_KEY = _SYSLOG_ROUTING

FORMAT = syslog_slms

#

 output.conf

[syslog:syslog_slms]

server = <IP>:10514

type = tcp

#

View solution in original post

0 Karma