×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Sot_Sochetra
Explorer
Member since: ‎06-19-2025
‎08-07-2025
Community Statistics
Posts 4
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎06-19-2025
Activity Feed
View All

Re: How to edit my props and transforms to route d...

by in Getting Data In
‎08-07-2025 06:01 AM
‎08-07-2025 06:01 AM
Thank you for your suggestion i will check it out  ... View more

Re: How to edit my props and transforms to route d...

by in Getting Data In
‎08-07-2025 04:01 AM
‎08-07-2025 04:01 AM
Thank you for the reply I will test it out tomorrow as I am out of work right now and I will tell you how it goes . ... View more

Re: How to edit my props and transforms to route d...

by in Getting Data In
‎08-07-2025 03:59 AM
‎08-07-2025 03:59 AM
Thanks for the advice! The main reason I’m using a Heavy Forwarder is because from what I’ve read, it can parse data before sending it to the indexer. For example, I’m planning to collect logs from some network devices (like firewalls or routers), and I thought sending them through the HF would help with parsing or enriching the data first. Also, I’m still pretty new to Splunk, so sorry if I’m misunderstanding anything or asking something obvious.  Best regard Chetra ... View more

How to edit my props and transforms to route data ...

by in Getting Data In
‎08-07-2025 02:53 AM
‎08-07-2025 02:53 AM
Hi all I'm building a distributed Splunk architecture with: 1 Search Head 2 Indexers (not in a cluster) 1 Heavy Forwarder (HF) to route logs from Universal Forwarders (UFs) I want to route logs to different indexers based on the index name, for example: Logs from AD servers should go to indexer01, using index=ad_index Logs from File servers should go to indexer02, using index=fs_index Here is my current config on the HF  props.conf [default] TRANSFORMS-routing = route_to_index02 transforms.conf [route_to_index02] REGEX = ^fs_index$|^ad_index$ DEST_KEY = _TCP_ROUTING FORMAT = index02 outputs.conf [tcpout] [tcpout:index01] server = <IP>:9997 [tcpout:index02] server = <IP>:9997 And here is the example inputs.conf from AD Server [WinEventLog://Security] disabled = 0 index = ad_index sourcetype = WinEventLog:Security [WinEventLog://System] disabled = 0 index = ad_index sourcetype = WinEventLog:System But right now, everything is going to index02, regardless of the index name. So my question is  How can I modify props.conf and transforms.conf on the HF so that: ad_index logs go to index01 fs_index logs go to index02 Thank in advance for any help ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-07-2025 08:16 AM
Karma given to