Hi Community,
I have the need to filterdata based on a specific field value androute to a different group of indexers.
Data is coming through HEC configured on a Heavy Forwarder like this:
&n...
...ointing to the Heavy Forwarder, and 1 indexer. I would like the heavy forwarder to only forward certain events on to the indexer. Based upon my research (RouteandFilterData ) I have built the b...
I'm having some issues with a heavy forwarder that I can't explain, and I was hoping someone could help me.
First question:
I have 1 heavy forwarder and 3 separate indexers. How can I define o...
I have a typical scenario that could be resolved with a UF on syslog-ng, however that is a future resolution.
At the moment, I have 2 data sources (A and B) coming in on a common port (e.g. TCP 6...
We need to routeandfilterdata on the heavy forwarder. We are having trouble configuring the routing of security logs to a Splunk instance specifically for security logs and the main Enterprise i...
...ow I have a new need: For a specific sourcetype (csi_pclog), I need to get rid of most events first, then route remaining events to a specific indexer. For some reason, I'm having trouble making this w...
My override index confs are breaking and I cannot find the cause...
Currently I have logs from two sources (A and B) coming in on (port TCP 666) going to one index_A.
Event logs containing: p...
...ransforms.conf still gets routed to an default indexer.
By the way all data has to be routed to the third party system and a copy of a subset to splunk
Ok now I still have the problem with the s...