Hi All,
I have a UF installed on a syslog server. Already network clients are sending data to syslog server and UF forwards/taking it to indexer 1.
Now another application want to send data to the same syslog sever on which UF is installed.
But this application data has to go to different indexer [Example: indexer_new].
{Note: Both these indexers (indexer 1 and indexer_new are not in same cluster. They are placed separately].
This network data is coming on tcp port 1515 and application data is coming on tcp port 1517.
I have seen some answers to route it with _TCP_ROUTING_ to two different indexers based on data input. But in this case this is not based on file or log path. This is based on TCP input [for TCP input we don't have any path for log].
Existing input [Under /opt/splunk-fwd/etc/apps/syslog_3n/default/inputs.conf]:
----------
[tcp://localhost:1515] queueSize = 512MB connection_host = ip sourcetype = network_syslog index = network_sys
"Now i want to know how to route the new application data coming to UF on port 1517 to the indexer_new and existing network data should continues to go to indexer 1"?
Thanks for you reply in Advance🙂!!
... View more