https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429710#M7696 <P>I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out. <BR /> It is possible to debug this kind of failures with splunk log somehow ?</P> Tue, 29 May 2018 16:56:29 GMT szrobag 2018-05-29T16:56:29Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429704#M7690 <P>Hello</P> <P>I have few of devices logging to an index feeding Splunk via Syslog on 514/UDP. <BR /> I want to index <STRONG>and</STRONG> syslog-route logs coming in over port 514 from one IP address to a specific remote syslog server.</P> <P>I have tried this config, dont know what's went wrong... :</P> <P><STRONG>props.conf</STRONG></P> <P>[host::x.x.x.x]<BR /> TRANSFORMS-fw-1 = redirect_1<BR /> TRANSFORMS-fw-2 = redirect_2</P> <P><STRONG>transforms.conf</STRONG></P> <P>[redirect_1]<BR /> REGEX = .<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = default-autolb-group</P> <P>[redirect_2]<BR /> REGEX = .<BR /> DEST_KEY = _SYSLOG_ROUTING<BR /> FORMAT = ( syslog server defined in outputs.conf )</P> <P>I see indexed data, but not the syslog output...</P> <P>Or... define the host in <STRONG>inputs.conf</STRONG></P> <P>[udp://x.x.x.x:514]<BR /> _SYSLOG_ROUTING = ( syslog server defined in outputs.conf )</P> <P>thanks.</P> Tue, 29 Sep 2020 19:46:31 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429704#M7690 szrobag 2020-09-29T19:46:31Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429705#M7691 <P>Can you share how you defined the syslog server in outputs.conf? Scrubbed is fine.</P> Tue, 29 May 2018 13:45:08 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429705#M7691 kmorris_splunk 2018-05-29T13:45:08Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429706#M7692 <P>Sure.</P> <P>[syslog:fw_test]<BR /> disabled = false<BR /> server = 8.8.8.8:514<BR /> type = udp</P> Tue, 29 May 2018 13:53:03 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429706#M7692 szrobag 2018-05-29T13:53:03Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429707#M7693 <P>Change the FORMAT in transforms.conf to the outputs.conf stanza name. Not the server name:</P> <P>[redirect_2]<BR /> REGEX = .<BR /> DEST_KEY = _SYSLOG_ROUTING<BR /> FORMAT = fw_test</P> Tue, 29 Sep 2020 19:42:59 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429707#M7693 jkat54 2020-09-29T19:42:59Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429708#M7694 <P>No need to modify, i already use "FORMAT = fw_test" in config. </P> Tue, 29 May 2018 16:03:58 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429708#M7694 szrobag 2018-05-29T16:03:58Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429709#M7695 <P>What if you combine your transforms statement in props.conf:</P> <P>TRANSFORMS-fw = redirect_1, redirect_2</P> Tue, 29 Sep 2020 19:43:02 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429709#M7695 jkat54 2020-09-29T19:43:02Z https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429710#M7696 <P>I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out. <BR /> It is possible to debug this kind of failures with splunk log somehow ?</P> Tue, 29 May 2018 16:56:29 GMT https://community.splunk.com/t5/Splunk-Dev/Syslog-routing/m-p/429710#M7696 szrobag 2018-05-29T16:56:29Z