topic Re: Splunk forwarding selected logs to third party using Heavy Forwarder in Splunk Enterprise

Splunk forwarding selected logs to third party using Heavy Forwarder

ws — Wed, 03 Sep 2025 06:00:08 GMT

Hi,

I’d appreciate it if someone could confirm whether my understanding is correct.

My objective is to forward incoming logs from specific devices (based on IP) via TCP:514 to a third-party system, while still allowing the Heavy Forwarder to forward all logs to the indexer.

At the moment, I’m unable to verify the raw logs directly. However, I was informed that the logs include the device’s own IP, which is why I configured a REGEX in transforms.conf to match the IP and forward only those logs to the third-party system.

With the current setup, though, all logs are being forwarded to the third-party destination instead of just the targeted IP.

Below are the configurations I applied across the three conf files.

#outputs.conf
[tcpout]
defaultgroup = indexer
indexAndForward = 0

[tcpout:indexer]
server = indexer_ip:8089

[syslog]
defaultGroup = thirdparty

[syslog:thirdparty]
server = thirdparty_ip:514

# props.conf
[source::tcp:514]
TRANSFORMS-route = route_to_thirdparty

# transforms.conf
[route_to_thirdparty]
REGEX = 192\.168\.68\.(68|74)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = thirdparty

Re: Splunk forwarding selected logs to third party using Heavy Forwarder

livehybrid — Wed, 03 Sep 2025 11:26:05 GMT

Hi @ws

By setting the defaultGroup in your [syslog] stanza you are telling Splunk to use this by default, therefore everything is being sent there.

defaultGroup = <comma-separated list> * A comma-separated list of one or more target group names, specified later in [syslog:<target_group>] stanzas. * The forwarder sends all data to the specified groups. * If you don't want to forward data automatically, don't configure this setting. * Can be overridden by the '_SYSLOG_ROUTING' setting in the inputs.conf file, which in turn can be overridden by a props.conf or transforms.conf modifier.

You could either remove this, or change it to a non-existent value and restart, then it should only send there if your regex matches.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk forwarding selected logs to third party using Heavy Forwarder

isoutamo — Wed, 03 Sep 2025 13:41:40 GMT

If I recall right there could be only one defaultGroup at time. It's not mater if it is under tcpout or syslog stanza, splunk use same for both.

So if you want all goes to Splunk then use defaultGroup only in tcpout stanza and when you need to route some events into syslog use transforms with _SYSLOG_ROUTING.

You should also remember that when you have configured more than one output targets which are used for same event, then if any of those stopped to receive events then all those stopped to work sooner or later. See more e.g. blockOnCloning etc.

Re: Splunk forwarding selected logs to third party using Heavy Forwarder

ws — Thu, 04 Sep 2025 03:04:57 GMT

Hi @livehybrid ,

Thanks for sharing.

This means the issue is caused by setting defaultGroup = thirdparty under [syslog].

In other words, all data is being sent to the third-party syslog destination by default. That’s why the settings in transforms.conf are being ignored, since the events are already routed to the third-party destination.

For my current situation, I believe the configurations in props.conf and transforms.conf can remain unchanged, and only outputs.conf needs to be updated.

#outputs.conf
[tcpout]
defaultgroup = indexer
indexAndForward = 0

[tcpout:indexer]
server = indexer_ip:8089

[syslog]
# defaultGroup = thirdparty

[syslog:thirdparty]
server = thirdparty_ip:514