Hi,
We use a splunk architecture where all events go through a heavy forwarder before getting to an indexer. The HF does extensive filting, transforms (trimming), and anonymisiation and is basically the 'gateway' to the indexers.
The recommendation for DBConnect2 is to deploy it on a dedicated heavy forwarder. That aligns nicely with our existing architecture. However it appears I can't do any routing or filtering of events loaded by DBCOnnect on the heavy forwarder itself.
For example, DB Connect ingests 2 different database sources. DBSource1, DBSource2. I want to route them DBSource1->Index1 on Indexer1, and DBSource2->Index2 on Indexer2, but all loading from the single dbconnect app on the one heavy forwarder.
Is this possible? So far, DBConnect allows me tochose which index to put events in, but I can't choose which Indexer to send the events to. Does DBConnect/Splunk honor normal inputs.conf _TCP_ROUTING for the DBCOnnect app?
Thankyou to anyone who has any insights!
GB
↧