All --
I'm seeking any advice i can get at this point. A little background. I manage two different user communities (A and B). Community A consists of a universal forwarder aggregator machine, as well as a combination indexer/search head. I believe the topology of community B to be irrelevant.
I've been given the task of taking a subset of events from community A and sending them to community B. To further complicate things, the data that i'm seeking to send to community B is produced by a saved search (using '|output csv' ) by the single indexer present in community A. The CSV is output to the local filesystem of community A's indexer, and an inputs.conf file monitors that csv and imports the contents in to a index dedicated to housing only these events.
My attempts as of this point have consisted of specifying the following in community A's indexer outputs.conf file
[tcpout]
indexAndForward = true
forwardedindex.0.whitelist = indexforthisspecificpurpose
forwardedindex.1.blacklist = _.*
forwardedindex.2.blacklist = .*
[tcpout:mytarget]
server=blahip:9997
... ssl config ...
Community A indexer/search head receives a feed of events from community A via an universal forwarder aggregator. These events should all be written and stored to the indexer.
Given this config, i'm not observing the intended result (events only destined to index=indexforthisspecificpurpose). I'm seeing results go to index=os (unix app) and one of our summary indexes. Knowing this, i can say that as far as the link between communities, the connection works. However the whitelisting/selection of data is not behaving as desired.
Has anyone tried to do something like this? Do you have any suggestions how to accomplish this?
Thanks!
↧