Our splunk environment consists of a Universal Forwarder, Heavy forwarder and Indexer.
We are importing our AWS cloudtrail data from an S3 bucket using SQS via the AWS Add on. I have configured this on the HF which has created a config entry under {SplunkApp}/etc/apps/Splunk_TA_aws/local/inputs.conf
[aws_sqs_based_s3://CloudTrail]
aws_account = MY-EC2-ROLE
aws_iam_role = Splunk
index = aws_fwd
interval = 300
s3_file_decoder = CloudTrail
sourcetype =
sqs_batch_size = 100
sqs_queue_region = eu-west-2
sqs_queue_url = https://account/queuename
disabled = 0
When you create an input type it requires an index to send the data (here it's aws_fwd). However I want to send this on to the indexer in a seperate index. How can I specify this so the data goes from AWS into the HF and then onto the indexer? The HF > Indexer output is configured on port 9997 - any help would be great.
↧