https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296123#M56157 <P>Hello,</P> <P>As the question states, i'm looking to send events from a universal forwarder to a heavy forwarder to have filtered. Once filtered, i'd like to change the sourcetype. I have not implemented this yet. This is for me to propose to upper management to agree on. I want to make sure the props/transforms piece is correct. I think the filtering is good, however i just want to make sure the syntax is all good.</P> <P>I've listed my config and config details:</P> <P>ON UNIVERSAL FORWARDER</P> <H2>inputs.conf</H2> <P>[monitor://c:\program files\app1\web.log]<BR /> _TCP_ROUTING = filter_heavy_forwarders<BR /> index = cmis_index</P> <H2>sourcetype = app1_web_logs</H2> <P>ON UNIVERSAL FORWARDER</P> <H2>outputs.conf</H2> <P>[tcpout]<BR /> defaultGroup=infosec_indexers</P> <P>[tcpout:infosec_indexers]<BR /> autoLB = true<BR /> server = infosec_server1:9997,infosec_server2:9997,infosec_server3:9997…,infosec_server16:9997</P> <P>[tcpout:cmis_indexers]<BR /> autoLB = true<BR /> server = cmis_server1:9997</P> <P>[tcpout:filter_heavy_forwarders]<BR /> autoLB = true</P> <H2>Server = filter_hvyfwd1:9998,filter_hvyfwd2:9998</H2> <P>ON HEAVY FORWARDER</P> <H2>props.conf</H2> <P>[app1_web_logs]<BR /> TRANSFORMS-routing = app1_web_filter</P> <H2>TRANSFORMS-changest = app1_cmis_web</H2> <P>ON HEAVY FORWARDER</P> <H2>transforms.conf</H2> <P>[app1_web_filter]<BR /> REGEX = (Events|To|Filter)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = cmis_indexers</P> <P>[app1_cmis_web_st]<BR /> DEST_KEY = MetaData:Sourcetype</P> <H2>FORMAT = sourcetype::app1_cmis_web</H2> <P>ON HEAVY FORWARDER</P> <H2>outputs.conf</H2> <P>[tcpout]<BR /> defaultGroup=none</P> <P>[tcpout:cmis_indexers]<BR /> autoLB = true</P> <H2>server = cmis_server1:9997</H2> Tue, 29 Sep 2020 16:10:01 GMT johnmvang 2020-09-29T16:10:01Z https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296123#M56157 <P>Hello,</P> <P>As the question states, i'm looking to send events from a universal forwarder to a heavy forwarder to have filtered. Once filtered, i'd like to change the sourcetype. I have not implemented this yet. This is for me to propose to upper management to agree on. I want to make sure the props/transforms piece is correct. I think the filtering is good, however i just want to make sure the syntax is all good.</P> <P>I've listed my config and config details:</P> <P>ON UNIVERSAL FORWARDER</P> <H2>inputs.conf</H2> <P>[monitor://c:\program files\app1\web.log]<BR /> _TCP_ROUTING = filter_heavy_forwarders<BR /> index = cmis_index</P> <H2>sourcetype = app1_web_logs</H2> <P>ON UNIVERSAL FORWARDER</P> <H2>outputs.conf</H2> <P>[tcpout]<BR /> defaultGroup=infosec_indexers</P> <P>[tcpout:infosec_indexers]<BR /> autoLB = true<BR /> server = infosec_server1:9997,infosec_server2:9997,infosec_server3:9997…,infosec_server16:9997</P> <P>[tcpout:cmis_indexers]<BR /> autoLB = true<BR /> server = cmis_server1:9997</P> <P>[tcpout:filter_heavy_forwarders]<BR /> autoLB = true</P> <H2>Server = filter_hvyfwd1:9998,filter_hvyfwd2:9998</H2> <P>ON HEAVY FORWARDER</P> <H2>props.conf</H2> <P>[app1_web_logs]<BR /> TRANSFORMS-routing = app1_web_filter</P> <H2>TRANSFORMS-changest = app1_cmis_web</H2> <P>ON HEAVY FORWARDER</P> <H2>transforms.conf</H2> <P>[app1_web_filter]<BR /> REGEX = (Events|To|Filter)<BR /> DEST_KEY = _TCP_ROUTING<BR /> FORMAT = cmis_indexers</P> <P>[app1_cmis_web_st]<BR /> DEST_KEY = MetaData:Sourcetype</P> <H2>FORMAT = sourcetype::app1_cmis_web</H2> <P>ON HEAVY FORWARDER</P> <H2>outputs.conf</H2> <P>[tcpout]<BR /> defaultGroup=none</P> <P>[tcpout:cmis_indexers]<BR /> autoLB = true</P> <H2>server = cmis_server1:9997</H2> Tue, 29 Sep 2020 16:10:01 GMT https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296123#M56157 johnmvang 2020-09-29T16:10:01Z https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296124#M56158 <P>You can use <A href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations">btool</A> to validate your syntax.<BR /> I notice you don't mention both tcpout's within the outputs.conf but this might be from the universal forwarder only.</P> Fri, 13 Oct 2017 01:02:33 GMT https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296124#M56158 gjanders 2017-10-13T01:02:33Z https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296125#M56159 <P>i updated my question with the unifwd outputs. But let me look into the btool and i'll come back.</P> <P>Thanks,</P> <P>John</P> Fri, 13 Oct 2017 02:56:44 GMT https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296125#M56159 johnmvang 2017-10-13T02:56:44Z https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296126#M56160 <P>Hi johnmvang,<BR /> only just a few information:<BR /> in UFs outputs.conf I don't see</P> <PRE><CODE>[tcpout-server://infosec_server1:9997] [tcpout-server://infosec_server2:9997] [tcpout-server://infosec_server3:9997] [tcpout-server://infosec_server16:9997] </CODE></PRE> <P>but probably you missed these rows only in the question.</P> <P>On HF, you send all transforming logs only to cmis_indexers?<BR /> if yes you don't need in props.conf <CODE>TRANSFORMS-routing = app1_web_filter</CODE> and the relative stanza in transforms.conf.<BR /> In addition I suggest to perform selective addressing directly in UFs.</P> <P>Anyway, I think that the problem is in HFs transforms.conf: the REGEX row is missing, so add <CODE>REGEX = .</CODE> to the [app1_cmis_web_st] stanza.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 16:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/Send-data-to-heavy-forwarder-to-filter-events-AND-change/m-p/296126#M56160 gcusello 2020-09-29T16:14:43Z