https://community.splunk.com/t5/Deployment-Architecture/Send-only-few-events/m-p/384271#M21081 <P>Yes, that would be possible if you use a Heavy Forwarder for that. The feature you are looking for is called "Event Routing"</P> <P>You need to configure both servers in the outputs.conf of your forwarder, one as tcpout (for the Splunk Server), and one as syslog output (for the non-splunk server)</P> <PRE><CODE>[tcpout:splunkindexer] disabled = false server = ip.of.ind.exr [syslog:syslogout] server = ip.of.sys.log:514 type = udp </CODE></PRE> <P>Then you need to adjust the props.conf of the respective source or sourcetype</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-routing = routeAll, routeSubset </CODE></PRE> <P>Finally, create a transforms.conf that does the filtering and routing</P> <PRE><CODE>[routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=splunkindexer [routeSubset] REGEX=(your_regex_to_filter) DEST_KEY=_TCP_ROUTING FORMAT=splunkindexer,syslogout </CODE></PRE> <P>Please refer to the splunk docs for details: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system</A></P> Fri, 15 Feb 2019 13:42:34 GMT DMohn 2019-02-15T13:42:34Z https://community.splunk.com/t5/Deployment-Architecture/Send-only-few-events/m-p/384270#M21080 <P>Hello Splunk Support,</P> <P>we have the following problem:<BR /> - We must send a log file to different receiver: <BR /> -- a Splunk server and the splunk server need ALL events<BR /> -- a non-splunk server, but only few events, so a whitelisting solution</P> <P>I found the following documentation<BR /> <A href="https://answers.splunk.com/answers/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-events-i-want.html">https://answers.splunk.com/answers/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-events-i-want.html</A></P> <P>Now my questions:<BR /> - Could I combine both solution – all events to one server and few events to another server??</P> Fri, 15 Feb 2019 08:20:38 GMT https://community.splunk.com/t5/Deployment-Architecture/Send-only-few-events/m-p/384270#M21080 andreas_linden 2019-02-15T08:20:38Z https://community.splunk.com/t5/Deployment-Architecture/Send-only-few-events/m-p/384271#M21081 <P>Yes, that would be possible if you use a Heavy Forwarder for that. The feature you are looking for is called "Event Routing"</P> <P>You need to configure both servers in the outputs.conf of your forwarder, one as tcpout (for the Splunk Server), and one as syslog output (for the non-splunk server)</P> <PRE><CODE>[tcpout:splunkindexer] disabled = false server = ip.of.ind.exr [syslog:syslogout] server = ip.of.sys.log:514 type = udp </CODE></PRE> <P>Then you need to adjust the props.conf of the respective source or sourcetype</P> <PRE><CODE>[yoursourcetype] TRANSFORMS-routing = routeAll, routeSubset </CODE></PRE> <P>Finally, create a transforms.conf that does the filtering and routing</P> <PRE><CODE>[routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=splunkindexer [routeSubset] REGEX=(your_regex_to_filter) DEST_KEY=_TCP_ROUTING FORMAT=splunkindexer,syslogout </CODE></PRE> <P>Please refer to the splunk docs for details: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system</A></P> Fri, 15 Feb 2019 13:42:34 GMT https://community.splunk.com/t5/Deployment-Architecture/Send-only-few-events/m-p/384271#M21081 DMohn 2019-02-15T13:42:34Z