Solved: Re: howto: let forwarders send events to multiple ...

florianzimm · ‎12-30-2020

hi,

scenario: elk-server has logfiles of test und prod systems. we have two separate splunk-infrastructures, test & prod.

goal: send events, based on 'source', to test-splunk-infra or prod-splunk-infra.

thanks for your input, florian.

saravanan90 · ‎12-30-2020

Below may help.

file1.log will move to prod-splunk-infra, file2 will move to test-splunk-infra

In inputs.conf

[monitor:///var/log/file1.log]
_TCP_ROUTING = prod_env
disabled = false
index = main
sourcetype = anysourcetype

[monitor:///var/log/file2.log]
_TCP_ROUTING = dev_env
disabled = false
index = main
sourcetype = anysourcetype

In outputs.conf

[tcpout:prod_env]
server=prod1_idx1:9997, prod_idx2:9997

[tcpout:dev_env]
server=dev_idx1:9997, dev_idx2:9997

saravanan90 · ‎12-30-2020