Splunk Enterprise

Forwarde data based on sourcetype between 2 indexers or between indexer and search head

myitlab1000
Explorer

Hello,

 

Il would like to know if i could forward data based on sourcetype between 2 indexers or between indexer and search head.

Il would like to forward only data of a certain sourcetype.

Thank you for your help

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Forwarding between indexers is possible. Forwarding from indexer to search head does not make sense since search heads do not store data.
What problem are you trying to solve?
---
If this reply helps you, Karma would be appreciated.

myitlab1000
Explorer

I have multiple indexers and one search head.

forwarders => Indexer 1, Indexer 2, Indexer N => search head => forwarding to third party

I can forward data but the problem is that is forwarding all the data.

Il would like to index all data locally to indexer and forward only data based on certain sourcetype by the search head to avoid open additional port between indexers and the third party software.

I have tested by configuring props.conf, transforms.conf and outputs.conf, but still forwarding all data, all sourcetype.

reference docs : https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad

Thanks a lot for your help

0 Karma

richgalloway
SplunkTrust
SplunkTrust
How are you specifying the sourcetype to forward?
---
If this reply helps you, Karma would be appreciated.

myitlab1000
Explorer

Here is my conf of an indexer to forward to search head and from search i would like to forward to third party.

The problem is not only data of soucetype "mysourcetype" is forwarded but all data.

in props.conf:

[mysourcetype]

TRANSFORMS-routing = forward_to_my_search_head_from_indexer

 

in transforms.conf:

[forward_to_my_search_head_from_indexer]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = my_search_head_group

 

in outpus.conf:

[tcpout]
defaultGroup = nothing
indexAndForward = true

[tcpout:my_search_head_group]
disable = false
server = my_search_head_ip:9997
sendCookedData = false

 

Thank you for yo

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Your configuration appears to make sense according to the documentation, however, I still cannot wrap my head around why you are forwarding data from an indexer to a search head. That is not a normal practice. Can you describe your Splunk architecture? What problem are you trying to solve by forwarding data from indexer to SH?
---
If this reply helps you, Karma would be appreciated.

myitlab1000
Explorer

I would like to expose one port from SH to external (third party software).

 

 

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please say more about that. Why the SH and not the indexer where the data resides? What third-party software)?
I think your defaultGroup attribute needs a value that is not "my_search_head_group".
Have you read https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Testing out the OpenTelemetry Collector With raw Data

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...