Hi!
I know there are several questions in this topic, but I didn't find a solution for me.
I try to create a simple lab splunk system with 1 HF and 2 indexers (ix1, ix2). HF has 2 input udp://1514 and udp://1515.
I tried to forward udp://1514 to ix1 and udp://1515 to ix2 with no luck. Somehow both indexers receives both logs:(
inputs.conf
[udp://1514]
connection_host = ip
sourcetype = syslog
[udp://1515]
connection_host = ip
sourcetype = syslog
props.conf
[source::udp://1514]
TRANSFORMS-ix1 = send_to_ix1
[source::udp://1515]
TRANSFORMS-ix2 = send_to_ix2
transform.conf
[send_to_ix1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer_1
[send_to_ix2]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer_2
output.conf
[tcpout:indexer_1]
server = 192.168.10.220:9997
[tcpout:indexer_2]
server = 192.168.10.221:9997
What am I doing wrong, please help me.
The final goal is to filter the logs received by indexers and send everything to a 3rd party log collector.
Thank your for your time,
Steven
↧