https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544186#M90821 <P>Hi all. I need some help to index all data coming into one server and only forward 3 sourcetypes to a 2nd server. Receiving and indexing the data is not a problem, but I cannot seem to get the 3 sourcetypes to the 2nd server. Any help would be appreciated.</P><P>&nbsp;My props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[cisco:asa] TRANSFORMS-routing=gsoc [icsp] TRANSFORMS-routing=gsoc [syslog] TRANSFORMS-routing=gsoc</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[gsoc] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=gsocPrimary</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>and outputs.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[tcpout] defaultGroup=nothing indexAndForward=true [tcpout:gsocPrimary] server=*.*.*.*:9997</LI-CODE><P>&nbsp;</P> Wed, 17 Mar 2021 13:37:00 GMT Adevill 2021-03-17T13:37:00Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544186#M90821 <P>Hi all. I need some help to index all data coming into one server and only forward 3 sourcetypes to a 2nd server. Receiving and indexing the data is not a problem, but I cannot seem to get the 3 sourcetypes to the 2nd server. Any help would be appreciated.</P><P>&nbsp;My props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[cisco:asa] TRANSFORMS-routing=gsoc [icsp] TRANSFORMS-routing=gsoc [syslog] TRANSFORMS-routing=gsoc</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[gsoc] REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=gsocPrimary</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>and outputs.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[tcpout] defaultGroup=nothing indexAndForward=true [tcpout:gsocPrimary] server=*.*.*.*:9997</LI-CODE><P>&nbsp;</P> Wed, 17 Mar 2021 13:37:00 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544186#M90821 Adevill 2021-03-17T13:37:00Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544191#M90822 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232600">@Adevill</a>,</P><P>Are you trying to forward the data from HF?</P><P>The connectivity between source and destination is exist?</P><P>Try the below outputs</P><P><BR />[tcpout]<BR />defaultGroup=none<BR />indexAndForward=true</P><P>[tcpout:gsocPrimary]<BR />server=*.*.*.*:9997</P><P>&nbsp;</P><P>And why are using the 9997 port why can't use a port like 514?</P><P>The 9997 port is already is used to get the data from the forwarder to an indexer. Don't use the same port for two different activities.</P> Wed, 17 Mar 2021 14:00:18 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544191#M90822 Vardhan 2021-03-17T14:00:18Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544197#M90823 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232459">@Vardhan</a>&nbsp;</P><P>Yes, I'm trying to forward from HF to a test server at the moment, that's why the port 9997 doesn't matter now, but you are correct, I would have chosen a different one for deployment. Connectivity is not a problem as I can forward all data to the 2nd server, but it fails when trying to filter for only the 3 sourcetypes. The solution you suggested also didn't work unfortunately.&nbsp;</P> Wed, 17 Mar 2021 14:09:34 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544197#M90823 Adevill 2021-03-17T14:09:34Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544203#M90824 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232600">@Adevill</a>&nbsp;just give a try by keeping seperate stanza's in transform.conf.</P><P>props<BR />[cisco:asa]<BR />TRANSFORMS-routing=gsoc1<BR />[icsp]<BR />TRANSFORMS-routing=gsoc2<BR />[syslog]<BR />TRANSFORMS-routing=gsoc3</P><P>[gsoc1]<BR />REGEX=(.*)<BR />DEST_KEY=_TCP_ROUTING<BR />FORMAT=gsocPrimary<BR />[gsoc2]<BR />REGEX=(.*)<BR />DEST_KEY=_TCP_ROUTING<BR />FORMAT=gsocPrimary<BR />[gsoc3]<BR />REGEX=(.*)<BR />DEST_KEY=_TCP_ROUTING<BR />FORMAT=gsocPrimary</P> Wed, 17 Mar 2021 14:15:06 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544203#M90824 Vardhan 2021-03-17T14:15:06Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544205#M90825 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232459">@Vardhan</a>&nbsp;</P><P>Unfortunately it's also not working.&nbsp;</P> Wed, 17 Mar 2021 14:22:48 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544205#M90825 Adevill 2021-03-17T14:22:48Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544208#M90826 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232600">@Adevill</a>&nbsp;Can u try with one source type first and check the result</P> Wed, 17 Mar 2021 14:49:32 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544208#M90826 Vardhan 2021-03-17T14:49:32Z https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544294#M90831 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232459">@Vardhan</a>&nbsp;</P><P>Even if I try just 1 sourcetype it doesn't work.</P><P>I've then removed the forwarding, then re-enabled it for all tags, which worked, then changed to a single sourcetype again which failed then again. Any other ideas?</P> Thu, 18 Mar 2021 07:34:22 GMT https://community.splunk.com/t5/Getting-Data-In/Index-all-and-selective-forward/m-p/544294#M90831 Adevill 2021-03-18T07:34:22Z