Splunk Enterprise

sending index data to another system

splkadmin
Explorer

I have to forward the data from my single instance indexer to another system i.e indexer and third party system.

I have tried the below configuration but I am receiving only the local system data i.e /var/log/cron as mentioned in input, how can I get the all hosts file that I configured on my index system.

i .e log files of system1 ,system 2 etc.

[root@splunkvm]# cd /opt/splunk/etc/system/local
[root@splunkvm local]# cat inputs.conf
[splunktcp://9997]
connection_host = ip

[monitor:///var/log/cron]
disabled = false
#_INDEX_AND_FORWARD_ROUTING=local
index = index2
sourcetype = linux_logs
_TCP_ROUTING = indexer
[root@splunkvm local]# cat props.conf
[source::/var/log/cron]
TRANSFORMS-routing=indexer

[root@splunkvm local]# cat transforms.conf
[indexer]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=thirdindexer
[root@splunkvm local]# cat outputs.conf
[tcpout]
indexAndForward = 1

[tcpout:thirdindexer]
server = 192.168.x.x:9997
[root@splunkvm local]#

Labels (2)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>