topic Indexed data from splunk server to syslog server(udp 514) in Getting Data In

Indexed data from splunk server to syslog server(udp 514)

cleelakrishna — Tue, 29 Sep 2020 14:27:39 GMT

i'm able to send all the cooked data to syslog server by configuring outputs.conf.

but currently my requirement was to send cooked data by filtering based on INDEX. (index=watson) . is there any thing to change the configarations.

props.conf
[index::watson]
TRANSFORMS-watson = wat_to_syslog

transforms.conf
[wat_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = wat_syslog_group

outputs.conf
[syslog]
defaultGroup=wat_syslog_group

[syslog:wat_syslog_group]
server = splunk-syslog.XXXX.com:514
type=udp

Re: Indexed data from splunk server to syslog server(udp 514)

Richfez — Sat, 17 Jun 2017 22:42:11 GMT

I'm not sure anyone understands what the question actually is.

You have a splunk data collector (UF, HF, full install, whatever) that is reading data and sending it to Splunk. You want to do what exactly with that data?

It seems most likely that you are trying to duplicate anything that comes in to a certain index to a syslog output?

Can you describe this situation more fully? Like, describe a particular event as it travels through the system. Here's a start, please correct it or change it as necessary and add detail as appropriate: it gets read off the disk by the UF installed on the source machine, whose outputs.conf send it to machine Y, my main Splunk Indexer... At that time I want to, on anything that comes in to index watson, also send that to a syslog machine.

Thanks,
Rich

Re: Indexed data from splunk server to syslog server(udp 514)

alacercogitatus — Tue, 20 Jun 2017 15:59:34 GMT

props.conf doesn't support [index::watson] like that.

If you want to route all the data in the index, you have to set the routing on all the sourcetypes in that index. Unless you have a really good reason for this, I wouldn't do it. BUT if it is a requirement, then go for it, just know that props cannot be applied to index.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

You could filter by index by updating the transforms to this:

[wat_to_syslog]
SOURCE_KEY = MetaData:Index
REGEX = watson
DEST_KEY = _SYSLOG_ROUTING
FORMAT = wat_syslog_group

Re: Indexed data from splunk server to syslog server(udp 514)

Richfez — Sun, 16 Jul 2017 18:31:02 GMT

cleelakrishna,

If this answer by alacercogitatus resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

Re: Indexed data from splunk server to syslog server(udp 514)

anand_singh17 — Fri, 28 Jul 2017 10:57:29 GMT

There is no options yet, where Indexer to be used as Heavy Forwarder and forward data.

I too had the same requirement, but it did not work.