Hi,
We need some help with rerouting data from a universal forwarder via a heavy forwarder into a different index than given in the UF inputs.conf.
Universal Forwarder inputs.conf:
[monitor:///var/opt/log/tomcat/test.log]
disabled = false
sourcetype = testdatenb2c
Heavy Forwarder (as man in the middle) configuration:
inputs.conf:
[default]
host = splunk-heavy-dev-369368
[splunktcp://9697]
connection_host = ip
props.conf:
[testdatenb2c]
TRANSFORMS-routing = transforms_TEST
transforms.conf
[transforms_TEST]
DEST_KEY=_TCP_ROUTING
FORMAT=B2CDATEN2EC
REGEX=.
outputs.conf
[tcpout:B2CDATEN2EC]
#Disable the current filters from the defaults outputs.conf
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.0.whitelist = test
disabled = false
server = my-splunk-idx-dev:9997
Now, the data gets indexed by the my-splunk-idx-dev server, but the data doesn't land in the index "test". Instead, it is being indexed in "main" as the default configured on the UF.
What are we doing wrong here? How can we reroute the data to our "test" index on the my-splunk-idx-dev server?
Thank you in advance for any help,
Best regards, Tom
↧