Hi @SN1 , let me understand: you have two stand alone Splunk servers and you want to send data of an index from the second to the first, is it correct? if this is your requirement, the first questi...
See more...
Hi @SN1 , let me understand: you have two stand alone Splunk servers and you want to send data of an index from the second to the first, is it correct? if this is your requirement, the first question should be why? but anyway, I need other two information for your solution: is there another Heavy forwarder forwarding these logs? do you want to forward all the data or only the ones of one index? if logs passing through another Splunk full instance (Heavy Forwarder), you have to work on it otherwise on the ServerB. You have to create a fork following the instructions at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/9.4/perform-advanced-configuration/forward-data-to-third-party-systems if you want to forward all logs, you can configure forwarding and receiving [Settings > Forwarding and Receiving > Forwarding] with the option "Index and forwardiung", in this way you forward all logs maintaining a local copy of them, for more information see at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/9.4/perform-advanced-configuration/forward-data-to-third-party-systems#forward-all-data-0 If instead you want to forward only a subset of data you have to use the configurations at https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/9.4/perform-advanced-configuration/forward-data-to-third-party-systems#forward-a-subset-of-data-0 Ciao. Giuseppe