Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Selective forwarding and overrride destination sourcertype and index

adityapavan18
Contributor
‎08-05-2012 12:49 AM

I have a setup where syslog feed is received by a heavy forwarder on udp port. Syslog feed on that particular udp port has sourcetype=syslog_feed and index=syslog_index . And from there i have to route the syslog feed to Actual Indexers.

Now what configuration changes i have to make to forward the data with sourcetype=sl_feed and destination index=sl_index .

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-13-2012 03:49 AM

Hi there,

If you use a Heavy forwarder, you should set the correct sourcetype and index there straight away, since a Heavy forwarder will perform the input and parsing phases. Therefore you should edit the inputs.conf on the Heavy forwarder to the values you want, i.e. sl_feed and sl_index.

For more information on what configuration goes where, see http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Configurationparametersandthedatapipeline or
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...