topic Re: How to send syslog data to the indexer and another TCP listener? in Getting Data In

How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Thu, 21 Dec 2017 16:18:19 GMT

Need a little help as I have not set this up before.
Here is my scenario.

I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination.

I want the data to go to splunk (cooked), but I want the data to go to the other destination (uncooked).

Please advise the best way to configure this.
Thank you

Re: How to send syslog data to the indexer and another TCP listener?

somesoni2 — Thu, 21 Dec 2017 16:42:49 GMT

You can refer to following Splunk documentation to learn about Splunk routing.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system

The example in above post sends all data to Indexer and selected data to third party. If you want to send all data to both Indexers and third party system, you'd use just routeAll.

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

To send the uncooked data to third party, you'd set sendCookedData to false in outputs.conf entry for third party system.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd

Re: How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Thu, 21 Dec 2017 16:57:53 GMT

Thank you, I will take a look.

Re: How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Tue, 29 Sep 2020 17:21:02 GMT

So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:

Edit $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS-routing = routeAll <----- do I need route subset if I am sending all to both?

Edit $SPLUNK_HOME/etc/system/local/transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app

Does that look right?
Thanks

Re: How to send syslog data to the indexer and another TCP listener?

lfedak_splunk — Thu, 21 Dec 2017 19:16:15 GMT

Hey @log_wrangler (sweet username!) your comment is posted now! The submissions were in the mod queue. Sorry if that was frustrating. If you get 6 more karma points your posts will only be moderated if they meet the other standard criteria. (30 points). Actually, I'll upvote your comment so you're in the clear. 🙂

Re: How to send syslog data to the indexer and another TCP listener?

somesoni2 — Thu, 21 Dec 2017 19:19:41 GMT

Your props.conf looks correct (your just routeAll since you're sending all data)
Your transforms.conf needs correction. The FORMAT should include both the tcpout group as you want to copy the data to both destination (Everything for your indexer and Subsidiary for your third party app).

Re: How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Thu, 21 Dec 2017 19:26:57 GMT

Thank you Somesoni!! If you don't mind... I actually created a part 2 question. Please take a look at that question. There is an additional criterion to my scenario. Thank you

Re: How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Thu, 21 Dec 2017 19:28:48 GMT

@lfedak, Thank you for the upvote. Can you please post my (Part 2) question when you have time?

Thank you

Re: How to send syslog data to the indexer and another TCP listener?

Log_wrangler — Thu, 21 Dec 2017 20:09:34 GMT

Please post my second part question

How to send syslog data to the indexer and another TCP listener? (Part 2)

It is "awaiting moderation".

Thank you