I had this working, and have broken it apparently.
Long story short, I'm migrating universal forwarders from one indexer environment to another (Seattle toAtlanta), via a heavy forwarder, and have been going machine group by machine group, starting w/ Dev and QA, then qa Citrix, and now moving to prod Citrix.
Originally, dev and qa were sending to the heavy forwarder, so I set that up to send to both Atlanta and Seattle. Then, once I got all the users in the dev/qa/qa citrix group situated on the new Splunk environment, I shut off forwarding to the old environment, which seems to be my downfall.
Right now, I'm trying to send data from the qa/dev/qa citrix environment to Atlanta only, while sending my test prod Citrix box to both Seattle and Atlanta, and I'm having a really hard time doing so, as I can only get it to be indexed in Atlanta and not both Atlanta and Seattle. Could someone look through my configs and give me a sanity check?
OUTPUTS.CONF
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = swfsplidx01.domain.local:9997,swfsplidx02.domain.local:9997,swfsplidx03.domain.local:9997,swfsplidx04.domain.local:9997
[tcpout:Subsidiary]
disabled = false
server=10.75.93.71:9997,10.75.93.72:9997
#compressed = true
TRANSFORMS.CONF
[routeALL]
REGEX=(.)
DEST_KEY = _TCP_ROUTING
#FORMAT = Everything
FORMAT = default-autolb-group
[routeTest]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = Subsidiary
PROPS.CONF
#Sending to Atlanta and Seattle
[host::\b(SWFCTXFRM[0-2][0-9])\b]
TRANSFORMS-routing = routeALL, routeTest
#Just sending to Atlanta
#[host::\b(SWFCTXFRM0[4-6][D|Q]|SWFWEBDMZ[0|1][0-9][D|Q]|SWF18BORDfw01|SWFSPLUNK01)\b]
[host::\b(SWF[A-Z]{2,6}[0-9]{2}(Q|D)|SWFBUILD08)\b]
TRANSFORMS-routing = routeALL
TZ = US/Eastern
↧