Hi guys I tried hard here and read some docs:
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Propsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Transformsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Outputsconf)
(https://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Forwarddatatothird-partysystemsd)
(https://answers.splunk.com/answers/474297/how-to-route-and-filter-data-on-the-heavy-forwarde.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev)
But I don´t know what I am doing wrong. I just have to send data to different indexers, but my Heavy Forwarder is clonning the data (I need some of data on indexer01 and the other on indexer02).
Here is my inputs.conf (all configs on my Heavy Forwarder)
[splunktcp://9997]
Here is my props.conf
[host::SRVPRD0001]
TRANSFORMS-routing = index01
[host::SRVPRD0002]
TRANSFORMS-routing = index02
[host::SRVPRD0003]
TRANSFORMS-routing = index02
[host::SRVPRD0004]
TRANSFORMS-routing = index02
[host::SRVPRD0005]
TRANSFORMS-routing = index02
Here my transforms.conf
[index01]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=sendtoidx01
[index02]
REGEX= .
DEST_KEY=_TCP_ROUTING
FORMAT=sendtoidx02
Here my outputs.conf
[default]
indexAndForward=false
[tcpout:sendtoidx01]
disabled=false
server=192.168.1.73:9997
[tcpout:sendtoidx02]
disabled=false
server=192.168.1.72:9997
↧