https://community.splunk.com/t5/Getting-Data-In/filtering-by-hostname-and-sourcetype/m-p/502796#M85639 <P>Hi all,</P> <P>I need some leads on an issue. I am having trouble in data forwarding from splunk HF to 3rd party. My prop.conf file below:<BR /> [host::hostname]<BR /> TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index. <BR /> But this is forwarding all the logs from the host. but instead I want to send one of the sourcetype from the host.</P> <P>Is it possible to filter by both hostname and sourcetype? If so, please peovide some sample props.conf and transformas.conf.</P> <P>Thanks</P> Wed, 30 Sep 2020 02:34:15 GMT graju89 2020-09-30T02:34:15Z https://community.splunk.com/t5/Getting-Data-In/filtering-by-hostname-and-sourcetype/m-p/502796#M85639 <P>Hi all,</P> <P>I need some leads on an issue. I am having trouble in data forwarding from splunk HF to 3rd party. My prop.conf file below:<BR /> [host::hostname]<BR /> TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index. <BR /> But this is forwarding all the logs from the host. but instead I want to send one of the sourcetype from the host.</P> <P>Is it possible to filter by both hostname and sourcetype? If so, please peovide some sample props.conf and transformas.conf.</P> <P>Thanks</P> Wed, 30 Sep 2020 02:34:15 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-by-hostname-and-sourcetype/m-p/502796#M85639 graju89 2020-09-30T02:34:15Z https://community.splunk.com/t5/Getting-Data-In/filtering-by-hostname-and-sourcetype/m-p/502797#M85640 <P>Hi graju89,<BR /> see this <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Forwarddatatothird-partysystemsd">https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Forwarddatatothird-partysystemsd</A> and <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Transformsconf">https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Transformsconf</A></P> <P>Anyway to filter for two parameters there are two ways:</P> <UL> <LI>if you can find one of the parameters in the raw logs you can use it to filter logs in transfroms.conf: e.g. if you want to forwarder to third party syslogs, in the beginning of each event you can find the host IP address, so you can use sourcetype as main stanza in props.conf and regex with that IP address in REGEX of transforms.conf.</LI> <LI>otherwise you can use the <CODE>SOURCE_KEY = MetaData:Host</CODE> option in your transforms.conf, e.g. something like this:</LI> </UL> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[your_sourcetype] TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[send_to_syslog_EFH] SOURCE_KEY = MetaData:Host REGEX = your_host DEST_KEY=_SYSLOG_ROUTING FORMAT=my_syslog_group </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Fri, 18 Oct 2019 07:08:36 GMT https://community.splunk.com/t5/Getting-Data-In/filtering-by-hostname-and-sourcetype/m-p/502797#M85640 gcusello 2019-10-18T07:08:36Z