https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88145#M18291 <P>Good day</P> <P>i Read this document regarding to the forward data to third-party systems</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd#Forward_syslog_data" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd#Forward_syslog_data</A></P> <P>and my question is can i forward my created index? instead of host?</P> <P>For example</P> <P>props.conf</P> <P>to this </P> <PRE><CODE> [host::nyc*] TRANSFORMS-nyc = send_to_syslog </CODE></PRE> <P>Into this</P> <PRE><CODE> [index::sample] TRANSFORMS-sample = send_to_syslog </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group </CODE></PRE> <P>output.conf</P> <PRE><CODE>[syslog:my_syslog_group] server = loghost.example.com:514 </CODE></PRE> <P>In short i would like to send the contents of the index into other non-splunk systems</P> <P>Regards<BR /> Cris</P> Mon, 28 Sep 2020 12:37:00 GMT christantoy 2020-09-28T12:37:00Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88145#M18291 <P>Good day</P> <P>i Read this document regarding to the forward data to third-party systems</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd#Forward_syslog_data" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd#Forward_syslog_data</A></P> <P>and my question is can i forward my created index? instead of host?</P> <P>For example</P> <P>props.conf</P> <P>to this </P> <PRE><CODE> [host::nyc*] TRANSFORMS-nyc = send_to_syslog </CODE></PRE> <P>Into this</P> <PRE><CODE> [index::sample] TRANSFORMS-sample = send_to_syslog </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group </CODE></PRE> <P>output.conf</P> <PRE><CODE>[syslog:my_syslog_group] server = loghost.example.com:514 </CODE></PRE> <P>In short i would like to send the contents of the index into other non-splunk systems</P> <P>Regards<BR /> Cris</P> Mon, 28 Sep 2020 12:37:00 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88145#M18291 christantoy 2020-09-28T12:37:00Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88146#M18292 <P>Yes. While you can't match against index directly in the stanza, you can put in a default section and then match it in a regex instead by using <CODE>SOURCE_KEY</CODE>.</P> <P>props.conf:</P> <PRE><CODE>[default] TRANSFORMS-sampleindex = send_sample_index_to_syslog </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[send_sample_index_to_syslog] SOURCE_KEY = _MetaData:Index REGEX = ^sample$ DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group </CODE></PRE> Fri, 12 Oct 2012 06:30:06 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88146#M18292 Ayn 2012-10-12T06:30:06Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88147#M18293 <P>Thanks for you answer </P> <P>But you said that i can put in a default section?<BR /> on here splunk &gt; etc &gt; system &gt; default ? i am right?</P> <P>and but the way i am not much familiar with regex can i done with a default?</P> <P>Regards Cris</P> Fri, 12 Oct 2012 06:50:12 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88147#M18293 christantoy 2012-10-12T06:50:12Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88148#M18294 <P>The [default] section can be put in the same props.conf file as other settings you would want to apply. Where it resides doesn't really matter as long as it's in a location where Splunk is seeing and using it.</P> <P>Re your second question, I'm afraid I don't entirely understand what you mean.</P> Fri, 12 Oct 2012 06:52:42 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88148#M18294 Ayn 2012-10-12T06:52:42Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88149#M18295 <P>Thank you again!</P> <P>Forget about the second question. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>BTW my outputs.conf is that correct? do i need to used that? </P> <P>Regards<BR /> Cris</P> Fri, 12 Oct 2012 07:05:05 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88149#M18295 christantoy 2012-10-12T07:05:05Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88150#M18296 <P>Hi again Ayn</P> <P>can i create a conf file? for output.conf and the other instead? it will work if i do that?</P> <P>Thanks and Regards <BR /> Cris</P> Fri, 12 Oct 2012 07:39:37 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-into-3rd-party-systems-using-index-instead-of-host/m-p/88150#M18296 christantoy 2012-10-12T07:39:37Z