×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bryanrobertson
New Member
Member since: ‎03-11-2014
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-11-2014
Activity Feed
View All

Re: Is there a way to make forwarding/indexing dec...

by in Getting Data In
‎04-27-2018 04:49 PM
‎04-27-2018 04:49 PM
Thank you. These are all good ideas. I have read over the “Route and filter data” and I use props.conf and transforms.conf in other places for routing purposes. The event data is so different in some cases that there are no easily repeatable patterns to make routing decisions. In the long term I am going to make the data easier to identify (separate indexes or create custom fields at index time), but all of that would require a lot of work for our setup. I am going to try the multiple splunktcp inputs next week as that sounds like the easiest for our environment. ... View more

Re: Is there a way to make forwarding/indexing dec...

by in Getting Data In
‎04-27-2018 04:36 PM
‎04-27-2018 04:36 PM
Thank you. After reading over the inputs.conf specs file more, I think grouping the forwarders under the splunktcp stanza and using TCP_ROUTING will work for our case. I will give it a go next week ... View more

Is there a way to make forwarding/indexing decisio...

by in Getting Data In
‎04-25-2018 10:02 AM
‎04-25-2018 10:02 AM
Is there a way to make forwarding/indexing decisions in Splunk config files based on the sending Splunk server regardless of the contents event data? Background: We have several Splunk servers (lets call them, A,B,C,D,E). Each server receives logs from several hosts and sources. We are need to forward data based on what Splunk server (not the host, source, or sourcetype) sent the logs. For example: Splunk servers A, B and C forward their logs to Splunk server D. If Splunk server D received data from Splunk server C, Splunk server D must index+forward the data to Splunk server E (regardless of the event details). Splunk server D will only index, and not forward, logs forwarded from Splunk servers A and B. Please note: Clustering is not an option in our environment Thank you for any feedback ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM