I have logs on a HF. I need to filter the logs and only identify those containing the string "AAA". This subset of logs, I need to send two outputs:
LOG FLOW
################### ON A SINGLE HF ###################
transforms
LOG FILES ----------> SPECIFIC LOGS
|---:9977---> UNCOOKED tcpout
|
|---:9997---> COOKED tcpout
Unfortunately, I don't have a test environment, so I have come up with some ideas on what might work, but I am hoping to get input before I deploy them. Here is what I have so far:
############# OUTPUTS #############
[tcpout:raw_IndexPool]
sendCookedData = false
server = 10.1.1.1:9977,10.1.1.2:9977,10.1.1.3:9977
[tcpout:IndexPool]
indexAndForward=false
server = 10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997
############# INPUTS #############
[monitor:///var/log/*.log]
disabled = 0
index = proxy
sourcetype = bluecoat:proxysg
_TCP_ROUTING = IndexPool
############# PROPS #############
[bluecoat:proxysg]
TRANSFORMS-bluecoatrex = nullqueue,raw_bluecoat,bluecoat_tcpout
############# TRANSFORMS #############
[raw_bluecoat]
REGEX = \sAAA\s
DEST_KEY = _TCP_ROUTING
FORMAT = raw_IndexPool
[bluecoat_tcpout]
DEST_KEY = queue
FORMAT = indexQueue
would like to forward same events to two different tcpout groups?
your question is not that much clear.
I would like to send uncooked and a cooked feed of the same events to the same destination receiver but on different ports.