Issue:
I am attempting to get a specific index from an internal splunk setup to an external one without clustering. Thus far I have been lead to believe that using indexandforward is the best option for this. I have 3 test systems sending their logs to the main index while one system is sending each WinEventLog log to their own index's security_logs, application_logs, etc, much like out client systems already are set to do. When I use the below setup with outputs.conf, transforms.conf and props.conf I get the WinEventLog:Security and System, and that is all (the Security being the only one I want to test), however for the one sending all their logs to individual indexes, I get EVERYTHING except those logs.
Current File:
outputs.conf
[tcpout]
defaultGroup = splunkinternal,splunkexternal
[tcpout:splunkexternal]
server = xx.xx.10.19:9997
[tcpout-server://xx.xx.10.19:9997]
[tcpout:splunkinternal]
server = xx.xx.1.6:9997
[tcpout-server://xx.xx.1.6:9997]
props.conf
[syslog]
TRANSFORMS-routing = routeSubset, routeAll
transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkinternal
[routeSubset]
REGEX=(WinEventLog|Security)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkexternal
Items desired:
Pull in specific indexes (index=security_logs) and only those specific indexes OR specify certain log files (WinEventLog:Security), without getting the others. Any assistance or links would be extremely helpful. See below for links I used to arrive where I am.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor-----
https://answers.splunk.com/answers/448100/is-it-possible-to-index-and-forward-a-specific-sou.html
... View more