https://community.splunk.com/t5/Getting-Data-In/Forward-data-input-copy-to-syslog-without-apply-SEDCMD/m-p/123896#M25559 <P>So, in order to solve my problem I had to re-think about it and thanks God it´s worked.</P> <P>I will put config first, and them I will explain the idea behind it.</P> <P><STRONG>outputs.conf</STRONG></P> <BLOCKQUOTE> <P>[tcpout:LB_indexers]</P> <P>server=SPLUNK-IDX-IP:9997</P> <P>[tcpout]</P> <P>defaultGroup=LB_indexers</P> <P>disabled=false</P> <P>[syslog:my_syslog]</P> <P>server = SYSLOG-IP:514</P> </BLOCKQUOTE> <P><STRONG>props.conf</STRONG></P> <BLOCKQUOTE> <P>[WinEventLog:Application]</P> <P>SEDCMD-remove_eol = s/[\n\r]/ /g</P> <P>SEDCMD-remove_message_flag = s/(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s\w{2})(.<EM>)(VtexMetric|VtexMachineMetric)(.</EM>)(Message=# )(.*)/\1 \3 \6/g</P> <P>TRANSFORMS-sendData = send2Syslog,sendNull,setLogger</P> <P>TRANSFORMS-setDataSource = setMetricSource,setMachineMetricSource</P> <P>TRANSFORMS-setDataIndex = setLoggerLogsIndex,setRequestCaptureIndex,setLogisticsIndex</P> </BLOCKQUOTE> <P><STRONG>transforms.conf</STRONG></P> <BLOCKQUOTE> <P>[send2Syslog]</P> <P>REGEX = VtexLog</P> <P>DEST_KEY = _SYSLOG_ROUTING</P> <P>FORMAT = sumologic_syslog</P> <P>[sendNull]</P> <P>REGEX = ^(?!.<EM>VtexLog|VtexMetric|VtexMachineMetric).</EM>$</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[setLogger]</P> <P>REGEX = VtexLog|VtexMetric|VtexMachineMetric</P> <P>DEST_KEY = queue</P> <P>FORMAT = indexQueue</P> <P>[setMetricSource]</P> <P>REGEX = VtexMetric</P> <P>FORMAT = sourcetype::VtexMetric</P> <P>DEST_KEY = MetaData:Sourcetype</P> <P>[setMachineMetricSource]</P> <P>REGEX = VtexMachineMetric</P> <P>FORMAT = sourcetype::VtexMachineMetric</P> <P>DEST_KEY = MetaData:Sourcetype</P> <P>[setLoggerLogsIndex]</P> <P>REGEX = VtexLog</P> <P>FORMAT = logger_logs</P> <P>DEST_KEY = _MetaData:Index</P> <P>[setRequestCaptureIndex]</P> <P>REGEX = VtexMetric|VtexMachineMetric.*AppName=vtex.requestcapture</P> <P>FORMAT = rc</P> <P>DEST_KEY = _MetaData:Index</P> <P>[setLogisticsIndex]</P> <P>REGEX = VtexMetric|VtexMachineMetric.*AppName=vtex.commerce.logistics</P> <P>FORMAT = logistics</P> <P>DEST_KEY = _MetaData:Index</P> </BLOCKQUOTE> <P>The objetive was to send to Splunk index only data generated from <EM>EventView</EM> with source <STRONG>VtexMetric</STRONG> or <STRONG>VtexMachineMetric</STRONG>. At same time I would like to forward data with source <STRONG>VtexLog</STRONG> to a third system syslog.</P> <P>On Props file first the line breaks are removed, then for VtexMetric and VtexMachineMetric data is cleaned it has the EventViewer header removed and only Message data is keeped.</P> <P>The tricks are on transforms, first data that has VtexLog is forwarder to <EM>_SYSLOG_ROUTING</EM> at same time there is a selective filtering running on <EM>sendNull</EM> and <EM>setLogger</EM> stanza. On <EM>sendNull</EM> all data that aren´t VtexLog or VtexMetric or VtexMachineMetric is discarded, that way I avoided windows logs. The oposite is made on <EM>setLogger</EM> where I set to indexQueue data that has desired sources.</P> <P>On <EM>setMetricSource</EM> and <EM>setMachineMetricSource</EM> transforms the sourcetype is changed based on windows event viewer source.</P> <P>Things stats to be cool on <STRONG>setLoggerLogsIndex</STRONG> transformation, since I allow logs to be indexed on <EM>setLogger</EM> transformation now I redirect all logs to this specific indexs. Remember that I don´t want to have those data indexed and I only keep it in order to continue to send it to third party syslog system. So the trick is create the index on Splunk Indexer and then <STRONG>disable</STRONG> it. If you desire you can send your not wanted data to a non-created index but it will put a warning on your SearchHead.</P> <P>On <EM>setRequestCaptureIndex</EM> and <EM>setLogisticsIndex</EM> I finish my needs sending rest of data to correct index.</P> <P>And that how I made to send data to a third party syslog server without index what I don´t want.</P> Mon, 28 Sep 2020 15:12:48 GMT fabiocaldas 2020-09-28T15:12:48Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-input-copy-to-syslog-without-apply-SEDCMD/m-p/123895#M25558 <P>I collect my data using UniveralForwarder, them send it to HeavyForwarder.</P> <P>I would like to send a copy of data that enter into HF to a syslog server. On my HF, I have the following configs:</P> <P><STRONG>inputs.conf</STRONG> </P> <BLOCKQUOTE> <P>[splunktcp://9997]</P> <P>disabled = 0</P> <P>_SYSLOG_ROUTING = syslogserver</P> </BLOCKQUOTE> <P><STRONG>outputs.conf</STRONG></P> <BLOCKQUOTE> <P>[syslog:syslogserver]</P> <P>server = MY-SYSLOG-IP:514</P> <P>sendCookedData = false</P> <P>[tcpout:LB_indexers]</P> <P>server=MY-SPLUNK-IDX-SERVER:9997</P> <P>[tcpout]</P> <P>defaultGroup=LB_indexers</P> <P>disabled=false</P> </BLOCKQUOTE> <P><STRONG>props.conf</STRONG></P> <BLOCKQUOTE> <P>[WinEventLog:Application]</P> <P>SEDCMD-remove_eol = s/[\n\r]/ /g</P> <P>SEDCMD-remove_message_flag = s/(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s\w{2})(.<EM>)(VtexLog|VtexMetric|VtexMachineMetric)(.</EM>)(Message=# )(.*)/\1 \3 \6/g</P> </BLOCKQUOTE> <P>The point is that, I would like to apply those SEDCMD only to data that is sent to Splunk Indexer. I would like to send to syslog the data without any cut.</P> <P>I need suggestions, thanks folks !!</P> Mon, 28 Sep 2020 15:09:27 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-input-copy-to-syslog-without-apply-SEDCMD/m-p/123895#M25558 fabiocaldas 2020-09-28T15:09:27Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-input-copy-to-syslog-without-apply-SEDCMD/m-p/123896#M25559 <P>So, in order to solve my problem I had to re-think about it and thanks God it´s worked.</P> <P>I will put config first, and them I will explain the idea behind it.</P> <P><STRONG>outputs.conf</STRONG></P> <BLOCKQUOTE> <P>[tcpout:LB_indexers]</P> <P>server=SPLUNK-IDX-IP:9997</P> <P>[tcpout]</P> <P>defaultGroup=LB_indexers</P> <P>disabled=false</P> <P>[syslog:my_syslog]</P> <P>server = SYSLOG-IP:514</P> </BLOCKQUOTE> <P><STRONG>props.conf</STRONG></P> <BLOCKQUOTE> <P>[WinEventLog:Application]</P> <P>SEDCMD-remove_eol = s/[\n\r]/ /g</P> <P>SEDCMD-remove_message_flag = s/(\d{2}\/\d{2}\/\d{4}\s\d{2}:\d{2}:\d{2}\s\w{2})(.<EM>)(VtexMetric|VtexMachineMetric)(.</EM>)(Message=# )(.*)/\1 \3 \6/g</P> <P>TRANSFORMS-sendData = send2Syslog,sendNull,setLogger</P> <P>TRANSFORMS-setDataSource = setMetricSource,setMachineMetricSource</P> <P>TRANSFORMS-setDataIndex = setLoggerLogsIndex,setRequestCaptureIndex,setLogisticsIndex</P> </BLOCKQUOTE> <P><STRONG>transforms.conf</STRONG></P> <BLOCKQUOTE> <P>[send2Syslog]</P> <P>REGEX = VtexLog</P> <P>DEST_KEY = _SYSLOG_ROUTING</P> <P>FORMAT = sumologic_syslog</P> <P>[sendNull]</P> <P>REGEX = ^(?!.<EM>VtexLog|VtexMetric|VtexMachineMetric).</EM>$</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[setLogger]</P> <P>REGEX = VtexLog|VtexMetric|VtexMachineMetric</P> <P>DEST_KEY = queue</P> <P>FORMAT = indexQueue</P> <P>[setMetricSource]</P> <P>REGEX = VtexMetric</P> <P>FORMAT = sourcetype::VtexMetric</P> <P>DEST_KEY = MetaData:Sourcetype</P> <P>[setMachineMetricSource]</P> <P>REGEX = VtexMachineMetric</P> <P>FORMAT = sourcetype::VtexMachineMetric</P> <P>DEST_KEY = MetaData:Sourcetype</P> <P>[setLoggerLogsIndex]</P> <P>REGEX = VtexLog</P> <P>FORMAT = logger_logs</P> <P>DEST_KEY = _MetaData:Index</P> <P>[setRequestCaptureIndex]</P> <P>REGEX = VtexMetric|VtexMachineMetric.*AppName=vtex.requestcapture</P> <P>FORMAT = rc</P> <P>DEST_KEY = _MetaData:Index</P> <P>[setLogisticsIndex]</P> <P>REGEX = VtexMetric|VtexMachineMetric.*AppName=vtex.commerce.logistics</P> <P>FORMAT = logistics</P> <P>DEST_KEY = _MetaData:Index</P> </BLOCKQUOTE> <P>The objetive was to send to Splunk index only data generated from <EM>EventView</EM> with source <STRONG>VtexMetric</STRONG> or <STRONG>VtexMachineMetric</STRONG>. At same time I would like to forward data with source <STRONG>VtexLog</STRONG> to a third system syslog.</P> <P>On Props file first the line breaks are removed, then for VtexMetric and VtexMachineMetric data is cleaned it has the EventViewer header removed and only Message data is keeped.</P> <P>The tricks are on transforms, first data that has VtexLog is forwarder to <EM>_SYSLOG_ROUTING</EM> at same time there is a selective filtering running on <EM>sendNull</EM> and <EM>setLogger</EM> stanza. On <EM>sendNull</EM> all data that aren´t VtexLog or VtexMetric or VtexMachineMetric is discarded, that way I avoided windows logs. The oposite is made on <EM>setLogger</EM> where I set to indexQueue data that has desired sources.</P> <P>On <EM>setMetricSource</EM> and <EM>setMachineMetricSource</EM> transforms the sourcetype is changed based on windows event viewer source.</P> <P>Things stats to be cool on <STRONG>setLoggerLogsIndex</STRONG> transformation, since I allow logs to be indexed on <EM>setLogger</EM> transformation now I redirect all logs to this specific indexs. Remember that I don´t want to have those data indexed and I only keep it in order to continue to send it to third party syslog system. So the trick is create the index on Splunk Indexer and then <STRONG>disable</STRONG> it. If you desire you can send your not wanted data to a non-created index but it will put a warning on your SearchHead.</P> <P>On <EM>setRequestCaptureIndex</EM> and <EM>setLogisticsIndex</EM> I finish my needs sending rest of data to correct index.</P> <P>And that how I made to send data to a third party syslog server without index what I don´t want.</P> Mon, 28 Sep 2020 15:12:48 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-input-copy-to-syslog-without-apply-SEDCMD/m-p/123896#M25559 fabiocaldas 2020-09-28T15:12:48Z