Configure different HEC destinations

[ivanfr90]

Hi.

We have a SC4SNMP instance on a K8S arquitecture configured for traps and polling. Also we hace several Heavy Forwarders and we need to send traps to a specific Heavy Forwarder and polling events and metrics to other Heavy Forwarder. It's possible create some type of redirection based on this specific configuration?

Our approach right now is to execute an instance of SC4SNMP only for traps and another instance of SC4SNMP for polling. Each of this instances send data to a specific Heavy Forwarder. Could you suggest some kind of alternative architecture?

Thanks!

[ikheifets-splunk]

On call discussed with @ivanfr90 that they need to segregate polling/walks logs to one Splunk, and traps to another Splunk.

We discussed to use for that Splunk Edge Processor, but SPL2 not enough powerful and they wanna use vector that have support of Lua for implement complex pipelines.

Proposed workarounds:

• Use seperaed SC4SNMP instances, one of that will report only poll/walks to vector (using HEC adapter), second one will report only traps will go to Splunk.
• Consume all logs in vector and make different branch of logic for logs with sourcetype sc4snmp:traps / sc4snmp:event / sc4snmp:metric.

P.S. @ivanfr90 If I miss something or you have any question, please reopen this issue