topic Re: forwarding logs through props.conf in Splunk Enterprise

forwarding logs through props.conf

franciscof — Thu, 25 Feb 2021 12:46:20 GMT

Hi guys. i´m trying to forward some events to another indexer usin my configuration files props.conf, transforms.conf and outputs.conf but the problem is that when I do it I forward all my data and not onlt the index and sourcetype that I want to forward even though I´m sure of applying those filters correctly on my props.conf

What could be happening?

Thanks in advance.

Re: forwarding logs through props.conf

jodonald — Mon, 01 Mar 2021 20:32:30 GMT

probably the indexAndFoward setting

It would be greatly helpful if you include your props and transforms. Also please review the splunk docs for routing and filtering data.

https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad

Re: forwarding logs through props.conf

franciscof — Wed, 03 Mar 2021 13:37:23 GMT

Hi,

Here is my props.conf located on /opt/splunk/etc/apps/search/local

[f5:bigip:syslog]
TRANSFORMS-routing = routeLT
index = test_f5
source = tcp:9515

Here is my transforms.conf located on /opt/splunk/etc/apps/search/local

[routeLT]
REGEX=(\w+?\-?\w+\-\w+(?:\-\w+)?\:\:\w+\-?\d?\.\"\S+\"\s+\=\s+\".*\"|\d+\/\d+\/\d+\s+[\d\:]+\s+\-\S+\s+.action\=ping\s+\S+\n\S+.+\n.+ms)
DEST_KEY=_TCP_ROUTING
FORMAT=LightTech, default-autolb-group

Here is my inputs.conf located on /opt/splunk/etc/apps/search/local

[tcp://9515]
connection_host = ip
index = test_f5
sourcetype = f5:bigip:syslog
_TCP_ROUTING = LighTech

And here is my outputs.conf located on /opt/splunk/etc/system/local

[tcpout]
forwardedindex.filter.disable = true
indexAndForward = true

[tcpout:LighTech]
server = 190.210.177.194:9997

[indexAndForward]
index = true

What could be wrong?