https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21016#M3103 <P>Your config looks fine to me.<BR /><BR /> Have you correctly defined the input on the other side and tested connectivity?</P> Fri, 02 Aug 2013 08:28:15 GMT Drainy 2013-08-02T08:28:15Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21012#M3099 <P>Using a heavy forwarder I'm having some issues using the <CODE>_TCP_ROUTING</CODE> examples posted in splunk docs and some splunk base answers.<BR /> I am just trying to forward a specific sourcetype log type to another forwarder, Is this correct or is there anything i am doing wrong?</P> <PRE><CODE>in props.conf [somesourcetype] TRANSFORMS-log_subset = some_logs In transforms.conf [some_logs] REGEX = . DEST_KEY=_TCP_ROUTING FORMAT=some_logs_subset In outputs.conf [tcpout:some_logs_subset] server=serverip:port </CODE></PRE> Wed, 31 Jul 2013 19:22:11 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21012#M3099 sonicZ 2013-07-31T19:22:11Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21013#M3100 <P>you can do it with a combination of inputs and outputs.</P> <H1>inputs.conf</H1> <P>[monitor:///some/path/to/some/files/]<BR /> _TCP_ROUTING = my_new_route<BR /> source = <BR /> sourcetype =<BR /> host = <BR /> blacklist =</P> <H1>outputs.conf</H1> <P>[tcpout]<BR /> defaultGroup = our_default_route</P> <P>[tcpout:out_default_route]<BR /> server = 0.0.0.0:0000</P> <P>[tcpout:our_new_route]<BR /> server = 1.1.1.1:1111 </P> Mon, 28 Sep 2020 14:29:04 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21013#M3100 lmyrefelt 2020-09-28T14:29:04Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21014#M3101 <P>The only problem i have is we have an input on <BR /> [splunktcp:port]</P> <P>That basically has a lot of data coming in from, the sourcetype is mixed in with that data so we only want to forward data that is of that particular sourcetype, preferably not changing the inputs.conf ports</P> Thu, 01 Aug 2013 22:02:51 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21014#M3101 sonicZ 2013-08-01T22:02:51Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21015#M3102 <P>what kind of forwarder are you using? Can it be that you need another kind of forwarder (ie. heavy) to what u want?</P> Fri, 02 Aug 2013 07:04:55 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21015#M3102 lmyrefelt 2013-08-02T07:04:55Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21016#M3103 <P>Your config looks fine to me.<BR /><BR /> Have you correctly defined the input on the other side and tested connectivity?</P> Fri, 02 Aug 2013 08:28:15 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21016#M3103 Drainy 2013-08-02T08:28:15Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21017#M3104 <P>I basically just have this on the receiving forwarder<BR /> connectivity is fine in splunkd logs from forwarder to forwarder and via port connect tests(telnet)</P> <P>[splunktcp://9997]<BR /> connection_host = dns<BR /> index = iseclog_core<BR /> sourcetype = logger_cef</P> Mon, 28 Sep 2020 14:31:02 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21017#M3104 sonicZ 2020-09-28T14:31:02Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21018#M3105 <P>I should also mention this is a spunk 4.3.3 instance forwarding to splunk 5.0.3</P> Tue, 06 Aug 2013 20:06:42 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21018#M3105 sonicZ 2013-08-06T20:06:42Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21019#M3106 <P>This is a heavy forwarder receiving multiple inputs on different ports, so i am using props and transforms .conf files specified in original post.</P> Tue, 06 Aug 2013 20:07:45 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21019#M3106 sonicZ 2013-08-06T20:07:45Z https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21020#M3107 <P>Also another oddity is if i specify <BR /> [tcp://9997] <BR /> instead of splunktcp the data comes in indexed but since its still coming in cooked.</P> <P>--splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 etc... </P> <P>So connectivity seems fine just seems like this instance is not handling cooked "spunktcp" data correctly.</P> Tue, 06 Aug 2013 20:13:26 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-subset-of-logs-via-TCP-ROUTING/m-p/21020#M3107 sonicZ 2013-08-06T20:13:26Z