https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16246#M1925 <P>I am indexing data feeds A and B and want to forward just data from B as syslog to servers X and Y (cloning the data stream). How can I do this?</P> Sat, 26 Jun 2010 03:55:02 GMT Dan 2010-06-26T03:55:02Z https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16246#M1925 <P>I am indexing data feeds A and B and want to forward just data from B as syslog to servers X and Y (cloning the data stream). How can I do this?</P> Sat, 26 Jun 2010 03:55:02 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16246#M1925 Dan 2010-06-26T03:55:02Z https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16247#M1926 <P>Here is an example config that accomplishes this. I would recommend reading: <A href="http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf" rel="nofollow">http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf</A></P> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[syslog] defaultGroup=nothing indexAndForward=true [syslog:serverX] server = beefysup01:514 [syslog:serverY] server = 10.1.12.10:514 </CODE></PRE> <P><EM>Note: By default, all events will get sent to all configured target groups. To avoid this, you need to set defaultGroup=nothing ("nothing" can be any name that is not defined as a target group). Then you manually route data to the targets using props and transforms.</EM></P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[source::B] TRANSFORMS-routing=syslogRouting </CODE></PRE> <P><EM>Note: This is an example of why you should receive different types of network inputs on different ports. If data feeds A and B were different kinds of syslog (say router data and proxy data), and if both were received on default syslog port 514, then you would have a hard time separating A from B.</EM></P> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=serverX,serverY </CODE></PRE> <P><EM>Note: FORMAT is a comma separated list of target groups, which results in cloning of the data.</EM></P> Sat, 26 Jun 2010 05:01:14 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16247#M1926 Dan 2010-06-26T05:01:14Z https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16248#M1927 <P>I believe that this could be more efficiently accomplished this way, assuming feed A comes in in port 1500, and B comes in on port 1600:</P> <P>inputs.conf:</P> <PRE><CODE>[udp:1500] _SYSLOG_ROUTING = nothing [udp:1600] _SYSLOG_ROUTING = serverX,serverY </CODE></PRE> <P>outputs.conf:</P> <PRE><CODE>[syslog] defaultGroup = none [serverX] server = x:1234 [serverY] server = y:1234 </CODE></PRE> Sat, 26 Jun 2010 05:33:14 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16248#M1927 gkanapathy 2010-06-26T05:33:14Z https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16249#M1928 <P>I think you can only set _TCPOUT_ROUTING in inputs.conf</P> Mon, 28 Sep 2020 09:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/Can-I-route-some-data-as-syslog-output-to-multiple-destinations/m-p/16249#M1928 Dan 2020-09-28T09:14:05Z