https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355802#M65028 <P>my scenario:</P> <P>I have an APP that can only send syslog data to one destination.<BR /> I have an HF configured to receive syslog data UDP.<BR /> I want to send the APP syslog data to a HF.</P> <P>I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.</P> <P>Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).</P> <P>So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:</P> <P>Edit $SPLUNK_HOME/etc/system/local/props.conf</P> <P>[syslog]<BR /> TRANSFORMS-routing = routeAll, routeSubset</P> <P>Edit $SPLUNK_HOME/etc/system/local/transforms.conf</P> <P>[routeAll]<BR /> REGEX=(.)<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=Everything &lt;-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?</P> <P>[routeSubset]<BR /> REGEX=(SYSTEM|CONFIG|THREAT) &lt;--------- This is where I would specify which data would go to the 3rd party app?<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=Subsidiary &lt; ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?</P> <P>Edit $SPLUNK_HOME/etc/system/local/outputs.conf</P> <P>[tcpout]<BR /> defaultGroup=nothing</P> <P>[tcpout:Everything]<BR /> disabled=false<BR /> server=x.x.x.x:9997 &lt;---- my splunk indexer</P> <P>[tcpout:Subsidiary]<BR /> disabled=false<BR /> sendCookedData=false<BR /> server=x.x.x.x:1234 &lt;---- the 3rd party app</P> <P>Does that look right? <BR /> Thanks</P> Tue, 29 Sep 2020 17:21:08 GMT Log_wrangler 2020-09-29T17:21:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355802#M65028 <P>my scenario:</P> <P>I have an APP that can only send syslog data to one destination.<BR /> I have an HF configured to receive syslog data UDP.<BR /> I want to send the APP syslog data to a HF.</P> <P>I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.</P> <P>Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).</P> <P>So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:</P> <P>Edit $SPLUNK_HOME/etc/system/local/props.conf</P> <P>[syslog]<BR /> TRANSFORMS-routing = routeAll, routeSubset</P> <P>Edit $SPLUNK_HOME/etc/system/local/transforms.conf</P> <P>[routeAll]<BR /> REGEX=(.)<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=Everything &lt;-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?</P> <P>[routeSubset]<BR /> REGEX=(SYSTEM|CONFIG|THREAT) &lt;--------- This is where I would specify which data would go to the 3rd party app?<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=Subsidiary &lt; ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?</P> <P>Edit $SPLUNK_HOME/etc/system/local/outputs.conf</P> <P>[tcpout]<BR /> defaultGroup=nothing</P> <P>[tcpout:Everything]<BR /> disabled=false<BR /> server=x.x.x.x:9997 &lt;---- my splunk indexer</P> <P>[tcpout:Subsidiary]<BR /> disabled=false<BR /> sendCookedData=false<BR /> server=x.x.x.x:1234 &lt;---- the 3rd party app</P> <P>Does that look right? <BR /> Thanks</P> Tue, 29 Sep 2020 17:21:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355802#M65028 Log_wrangler 2020-09-29T17:21:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355803#M65029 <P>Hi @Log_wrangler,</P> <P>Your configuration looks good please let us know if you will face any issue and community members will help you.</P> Fri, 22 Dec 2017 03:08:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355803#M65029 harsmarvania57 2017-12-22T03:08:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355804#M65030 <P>Thank you for the confirmation. I am in the staging phase right now, have not had a chance to test-run anything yet. </P> <P>A couple of followup questions, <BR /> 1) With the current config above, if I have other sources sending syslog data to the indexer then these sources will not be disturbed and will not be accidentally sent to the 3rd party tcp receiver? If I am understanding correctly, </P> <P>Edit $SPLUNK_HOME/etc/system/local/outputs.conf</P> <P>[tcpout]<BR /> defaultGroup=nothing <STRONG>&lt;----- setting defaultGroup to nothing defines that "everything" (old and new) goes to indexer and subsidiary goes to 3rd party??</STRONG></P> <P>[tcpout:Everything]<BR /> disabled=false<BR /> server=x.x.x.x:9997</P> <P>[tcpout:Subsidiary]<BR /> disabled=false<BR /> sendCookedData=false<BR /> server=x.x.x.x:1234 </P> <P>2) Is there any documentation / examples on REGEX for: </P> <P>[routeSubset]<BR /> REGEX=(SYSTEM|CONFIG|THREAT) &lt;--------- This is where I would specify which data would go to the 3rd party app?<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=Subsidiary </P> <P>Thank you</P> Tue, 29 Sep 2020 17:21:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-syslog-data-to-the-indexer-and-another-TCP-listener/m-p/355804#M65030 Log_wrangler 2020-09-29T17:21:33Z