I have a setup, where I have one production indexer and another one is development indexer. I want all the data to be flown into production and specific set of data to be flown into development indexer.
THe splunk architecture is UF>HF> IDX.
I see that one source type( ping:directory) is able to send the data to both the indexer, while the other one(inventory:a10) is sending data only to production not into development.
There are 2 indexers which are in a different cluster environment.
Indexer1 : Lewisville_Indexers
Indexer2 : DevIndexer
These are the configurations set up we have made on our environment.
UF : inputs.conf
[monitor:///opt/csv/a10/*.csv]
disabled = 0
index = inventory
sourcetype = inventory:a10
crcSalt =
initCrcLength = 1048576
[monitor:///u1/ds/logs/access]
sourcetype=ping:directory
index=ti_directory
disabled = 0
HF : props.conf
[ping:directory]
TRANSFORMS-routing=SecOps_Prod_Dev
[inventory:a10]
TRANSFORMS-routing=SecOps_Prod_Dev
Transforms.conf
[SecOps_Prod_Dev]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=Lewisville_Indexers,DevIndexers
output.conf
[tcpout]
defaultGroup = Lewisville_Indexers,DevIndexers
... View more