https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314689#M58920 <P>Hi,</P> <P>I have the following setup on my heavy forwarder:</P> <PRE><CODE>outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] disabled = false server = indexer1:9997,indexer2:9997 [syslog] defaultGroup=nothing [syslog:syslogGroup1] server = server1:514 [syslog:syslogGroup2] server=server2:53215 transform.conf [send_to_syslog1] REGEX = .*%ASA-\d+-(111008|106100).* DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogGroup1 [send_to_syslog2] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogGroup2 props.conf [host::host1] TRANSFORMS-host_! = send_to_syslog1 [host::hosts*] TRANSFORMS-hosts = send_to_syslog2 </CODE></PRE> <P>This setup is not working, can someone help?</P> <P>Regards</P> <P>Jorge</P> Thu, 31 Aug 2017 16:18:16 GMT jorgepinto1 2017-08-31T16:18:16Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314689#M58920 <P>Hi,</P> <P>I have the following setup on my heavy forwarder:</P> <PRE><CODE>outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] disabled = false server = indexer1:9997,indexer2:9997 [syslog] defaultGroup=nothing [syslog:syslogGroup1] server = server1:514 [syslog:syslogGroup2] server=server2:53215 transform.conf [send_to_syslog1] REGEX = .*%ASA-\d+-(111008|106100).* DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogGroup1 [send_to_syslog2] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = syslogGroup2 props.conf [host::host1] TRANSFORMS-host_! = send_to_syslog1 [host::hosts*] TRANSFORMS-hosts = send_to_syslog2 </CODE></PRE> <P>This setup is not working, can someone help?</P> <P>Regards</P> <P>Jorge</P> Thu, 31 Aug 2017 16:18:16 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314689#M58920 jorgepinto1 2017-08-31T16:18:16Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314690#M58921 <P>Of course, the objective is to forward all the data to the indexers, the data from host1 that matches the regex specified to syslog1 and all the data from several hosts to syslog2</P> Fri, 01 Sep 2017 11:03:24 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314690#M58921 jorgepinto1 2017-09-01T11:03:24Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314691#M58922 <P>Hi there @Jorgepinto1</P> <P>Can you try to specify the hostnames on the second stanza inside the props.conf to see what happens I believe that the current configuration is redundant. And also, be aware of the admiration sign ("!) on the first one.</P> <PRE><CODE>[host::host1] TRANSFORMS-host_1 = send_to_syslog1 [host::(host2|host3|host4)] TRANSFORMS-hosts = send_to_syslog2 </CODE></PRE> <P>Perhaps you mistyped it but make sure that your filename is called <CODE>transforms.conf</CODE> instead of transform.conf</P> Fri, 01 Sep 2017 13:25:43 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314691#M58922 alemarzu 2017-09-01T13:25:43Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314692#M58923 <P>This is the biggest oops I've posted here. Thank you very much Alemarzu. </P> <P>Transform.conf vs transforms.conf</P> Fri, 01 Sep 2017 14:06:13 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314692#M58923 jorgepinto1 2017-09-01T14:06:13Z https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314693#M58924 <P>It happens sometimes. Glad we could solved it!</P> Fri, 01 Sep 2017 14:18:22 GMT https://community.splunk.com/t5/Getting-Data-In/Issue-with-setting-up-my-forwarders-to-Syslog-servers/m-p/314693#M58924 alemarzu 2017-09-01T14:18:22Z