So we have a client who has a splunk deployment already. They are not for using the universal forwarder to send us certain logs while their deployment also gets every index they are reporting on. The suggestion we got was to use a heavy forwarder to send all index's to them and have the heavy forwarder send just the two or three index's we are looking for to us. Most of the heavy forwarder comments though use an index and forward method, but the client wants to use their indexer and not have it basically indexed twice. Another of the issues is that the client already sends EVERYTHING as it's own index, (IE security logs = security index, application = application index etc). Any assistance would be greatly appreciated. ... View more

We have an Ansible script that rebuilds/reindexes etc a Splunk indexer, if for some reason it implodes on itself. We also have incremental backups of the Splunk databases (for this question lets say "Data1"). While the script can rebuild the server, what is the best way to add back those databases if a server is rebuilt so we do not lose all the data we have saved? Thanks in advance for any assistance. ... View more

So we have a client system that has their own Splunk indexer. For certain reasons they do not want their splunk universal forwarders sending logs to two separate indexers, but want to continue to have all their logs sent to their indexer, and then forward select indexes from their indexer to ours. Most of the indexandforward items seem to require a heavy forwarder to work. We are trying not to interfere with their current setup as much as possible and adding the heavy forwarder seems like it would be exactly that. Any thoughts would be greatly appreciated. ... View more

Hello, So I have a rather unique issue that I am really having trouble with. We have a client that has their own splunk system in place. They send their data in a multitude of indexes to the their main indexer, nothing odd there. What we need though is to have a select grouping of indexes sent from their indexer, to our splunk on another network. A suggestion was made to basically query the indexes and toss them into a file then read that as a log. While that is an option I believe will work, it is a little ghetto and also consumes more disk space. Is there a native way of after something is indexed, for the indexer to also forward it on to us? I talked with our client about having the universal forwarder on the devices send to both indexers (which was way easy but they do not want the network bandwidth on those systems taxed more than they already are), so here I am trying to find the best method to do this. Thanks in advance for any possible assistance. ... View more

Issue: I am attempting to get a specific index from an internal splunk setup to an external one without clustering. Thus far I have been lead to believe that using indexandforward is the best option for this. I have 3 test systems sending their logs to the main index while one system is sending each WinEventLog log to their own index's security_logs, application_logs, etc, much like out client systems already are set to do. When I use the below setup with outputs.conf, transforms.conf and props.conf I get the WinEventLog:Security and System, and that is all (the Security being the only one I want to test), however for the one sending all their logs to individual indexes, I get EVERYTHING except those logs. Current File: outputs.conf [tcpout] defaultGroup = splunkinternal,splunkexternal [tcpout:splunkexternal] server = xx.xx.10.19:9997 [tcpout-server://xx.xx.10.19:9997] [tcpout:splunkinternal] server = xx.xx.1.6:9997 [tcpout-server://xx.xx.1.6:9997] props.conf [syslog] TRANSFORMS-routing = routeSubset, routeAll transforms.conf [routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=splunkinternal [routeSubset] REGEX=(WinEventLog|Security) DEST_KEY=_TCP_ROUTING FORMAT=splunkexternal Items desired: Pull in specific indexes (index=security_logs) and only those specific indexes OR specify certain log files (WinEventLog:Security), without getting the others. Any assistance or links would be extremely helpful. See below for links I used to arrive where I am. https://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor----- https://answers.splunk.com/answers/448100/is-it-possible-to-index-and-forward-a-specific-sou.html ... View more

We have a few silo'd networks and each has their own Splunk setup. My group is going to ingest specific index's from them but cannot be part of their cluster. How would I send (say for example the Security logs held in the Security_index), from Indexer 1 to indexer 2? So far most of the answers I have come across deal with clustered systems or decommissioning one indexer and search head to bring up another. Any assistance would be greatly appreciated. ... View more