Splunk SOAR (f.k.a. Phantom)

Help understanding Splunk SOAR connectivity to indexers

kprior201_lilly
Path Finder

I would like to understand how Splunk SOAR sends data to the indexer endpoints that are configured under Administration -> Search Settings -> Indexers. I would like to send data to two different HEC endpoints (two different Splunk instances), but I'm not sure if Splunk SOAR treats multiple indexers as something to load balance or multiple things to send all data to. I attempted to use _TCP_Routing on one of the HEC endpoints to take care of this issue, but it doesn't seem to work right so I figured I'd go back to the source. Anyway, if anyone knows how that works, I'd appreciate the insight! Thanks.

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...