Hi, I'm trying to forward all data received by one indexer to a third party Indexer, but rewriting the index for the data sent to the third party. Everything is configured to come in from the UF's using specific index's (Such as WinEventLog). SplunkA indexes the data into those index's happily. There is a requirement to forward all data to SplunkB, but to a dedicated index (Such as SubsidiaryIndex instead of WinEventLog). I was originally using IndexandForward in an outputs.conf, but the forwarded data includes the index set by the UF's. The guide here is close to what I want to do, but I want it to forward all data, and rewrite the index - https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system props.conf - Note: I feel like the default stanza is wrong, but I'm not sure how else to capture everything. Also, I've tried TRANSFORMS-routing and TRANSFORMS-forward... [default]
TRANSFORMS-routing = routeAll transforms.conf [routeAll]
REGEX=(.)
DEST_KEY = _MetaData:Index
FORMAT = SubsidiaryIndex
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary outputs.conf outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=169.254.153.83:9999 Any guidance would really be appreciated!
... View more