Hi everyone,
I'm trying to use splunk as heavy forwarder to send out only 1 index, but it doesn't work. Could someone please help me? I think there is something wrong in the outputs.conf.
[tcpout]
deafultGroup = nothing
[tcpout:alerts]
server = 10.28.100.121:9998
indexAndForward = 1
[tcpout:alerts]
indexAndForward = 1
#Forward data for the "alerts" index
forwardedindex.0.whitelist = alerts
transforms.conf:
[alerts]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=alerts
props.conf
[index::alerts]
TRANSFORMS-routing = alerts
Thanks,
Federica
↧