Hello all,
I have a doubt in my routing configuration. I'm using an HF and I configured an app to perform some routing (but it's more like a replication) to a syslog server of a specific sourcetype.
This is my props.conf
[sourcetype::XmlWinEventLog]
TRANSFORMS-XMLWin = send_to_IDX, send_to_syslog
and here is my transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = SGroup
[send_to_IDX]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = idx_core
I have a locally (to the app) defined outputs.conf
[syslog]
[syslog:SGroup]
server = X.X.X.X:601
priority = <190>
type = tcp
timestampformat = "%d/%m/%Y %H:%M:%S"
and the idx_core is defined in a global outputs.conf
Now my doubt is how the transform will execute and tag the events. In my understanding, the order of transforms is important and so the REGEX filter in the specific transform stanza. So if I run first the transform "send_to_IDX", ALL the events (matched by REGEX=.) will be tagged to be sent to tcprouting idx_core, so when the transform "send_to_syslog" runs, no events will be routed to the syslog.
Is my assumption correct? If so, how can I do this double routing of that specific sourcetype?
thanks,
Fausto
Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.
Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.
Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.
You are right, it works! Thanks for the input. Anyway, I noticed that if I do not specify a defaultGroup in the Syslog stanza, Splunk doesn't send anything to the Syslog server and this is very weird.
hello , can you mark it as an answer if it does help you ? .
Do you mean defaultGroup for the tcpout of indexers ?
I only use defaultGroup for the tcpout . For the syslog routing only transforms and syslog stanza in outputs.conf because its sends the data through a separate output processor.
You may want to check this reference
https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog_...
Hello, I mean the defaultGroup for syslog stanza. Looking into the Splunk docs, it seems this config is mandatory, and my tests agree with that.