|
Is there a way to selectively index and forward by using filtering criteria such as hostname, sourcetype, or REGEX in transforms.conf? Currently, I can selectively index and forward on a per input stanza basis in inputs.conf, but I don't want to forward everything coming into an input. If I were to only forward (and not index locally), I would use a REGEX in transforms.conf with a [stanza] in props.conf to filter what to forward. But it looks like using transforms.conf and props.conf is not supported for selective index and forwarding. |
|
That solution doesn't work for this environment because I cannot configure the forwarders to send to different indexers. I have a single indexer that is the central hub for many different data inputs. What I want to do is selectively forward and index from a single indexer Right now, with Splunk, an indexer can selective forward without indexing. I am using "indexAndForward" and _INDEX_AND_FORWARD_ROUTING in each input stanza. So at the moment, my forwarding granularity is limited to a stanza in inputs.conf. What I want to do is be able to use props.conf and transforms.conf to selective decide:
|
|
Hi dottom well basicly an indexer can do the same filtering/routing of data like a forwarder. here is a post about how to configure forwarder to send different information to 2 different indexers so your indexer can be setup to filter data to different indexes or forward any data to 3rd party systems. regrads |
|
My scenario is different in that I don't want to filter out events from being indexed. What I want to do is filter events to be forwarded, i.e. do not forward some events (only index it), forward specific sourcetype to remoteHostA, forward specific REGEX string to remoteHostB, etc. The scenario:
I don't want to just forward using LWF/HF/UF which is very flexible to customize using props.conf and transforms.conf. This is a "index and selectively forward" approach. As a kludge, I've considered running both a forwarder and index instance (two Splunk instances) and have the forwarder forward locally what I want indexed, and forward remotely what I want sent off to other log collection devices. But I really don't want to run two Splunk instances just to have flexible filtering capability for a "index and forward" design. |
|
Hi dottom either take a look here: How do I configure Splunk to filter out events I don’t want to index? on Splunk Answers or read the docs here: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Routeandfilterdatad both is working as designed, but be aware about this here: WinEventLog:Security filtering does not work on Splunk Answers I just run into this bug last week. but as said, beside this, all is working like in the docs written. regards |