Deployment Architecture

Index and forward events on indexer

aleccese
Loves-to-Learn Everything

Hi all,

i have a Splunk indexer (version 6.2.14) that receives events from a Splunk forwarder (same version). On the forwarder I have a monitor that reads some files from local filesystem and forwards a subset of them to the indexer. The indexer receives events on a TCP over TLS port and indexes the evens with no problem. Filter on the forwarder works as expected. Now I need to continue to index all that comes from the forwarder, but moreover I need to forward a subset of events received to a third-party destination with TCP (no TLS) protocol. Here is the config I have build:

*FORWARDER
outputs.conf
*

[tcpout]
defaultGroup = <INDEXER_IP>_9999
sslCertPath = /...
sslRootCAPath = /...
sslVerifyServerCert=false
maxQueueSize = 100MB
forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection)

[tcpout:<INDEXER_IP>_9999]
autoLB = false
server = <INDEXER_IP>:9999

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

[CA]
REGEX = (?s)\d+\s\[-(?:07628|07777|07649|07675|07676|07697|07698|07705|07714|07717|07718|07719|07724|07725|97726|07727|07734|07751|07753|07765|07767|07783|07792|07816|07819|07824|07827|07836|07841|07842|07849|07854|07884|07886|07888|07889|07895|07896|07899|07900|07901|07903|07914|07916|07929|07930|07932|07933|07943|07948|07951|07952|07953|07954|07955|07956|07960|07963|07964|07966|07968|07972|07984|07965|07823|07977|07941|07992|07982|07981|07979|07994|07647|07840|07790|07756|07743|07744|07989|07990|07993|07618)\s
DEST_KEY = queue
FORMAT = indexQueue

[udpsyslog]
REGEX = .*\]\: Accepted password.*|.*\)\: session closed.*|.*\)\: session opened.*|.*\)\: authentication failure.*|.*\]\: Failed     password for.*|.*\: invalid user.*|.*\: password changed for.*
DEST_KEY = queue
FORMAT = indexQueue

inputs.conf

[default]
host = <FORWARDER>

[monitor:///tmp/file.log]
time_before_close = 15
disabled = false
followTail = 0
sourcetype = CA

INDEXER:
inputs.conf

[default]
host = <INDEXER>

[splunktcp-ssl:9999]
_INDEX_AND_FORWARD_ROUTING=STRING
_TCP_ROUTING=my_syslog_ca

[SSL]
cipherSuite = TLSv1.2+HIGH:!3DES:@STRENGTH
password = **********
requireClientCert = false
rootCA = /...
serverCert = /...
sslVersions = tls1.2

outputs.conf

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout]
defaultGroup=my_syslog_ca
forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection)

[my_syslog_ca]
indexAndForward = true

[tcpout:my_syslog_ca]
disabled=false
sendCookedData=false
server=<THIRD_PARTY_IP>:9999

props.conf

[source::/tmp/file.log]
TRANSFORMS-ca=send_to_syslog_ca

transforms.conf

[send_to_syslog_ca]
REGEX = (?!.*\[-07965.*Client type: GUI.*Operator\/CMS).*\[-07965.*Client type: GUI.*|(?!.*\[-07966.*Client type: GUI.*Operator\/CMS).*\[-07966.*Client type: GUI.*|.*\[-07968.*|.*ALARM.*|.*\[-07963.*|.*\[-07964.*|.*\[-07972.*|.*\[-07792.*|(?!.*\[-07841.*Nearing expiration).*\[-07841.*|(?!.*\[-07842.*Nearing expiration).*\[-07842.*|(?!.*\[-07895.*Nearing expiration).*\[-07895.*|.*\[-07968.*
DEST_KEY=_TCP_ROUTING
FORMAT=my_syslog_ca

As said, on the forwarder everything works as expected, events are read, filtered and sent to indexer. The indexer index the filtered events received with no issues. The problem is that the filter while sending the events to the third party does not works. The indexer sends everything to the third party, not only the events defined on the regex in the indexer's transforms. What am I doing wrong?

Thanks in advance.

Alessandro

Tags (1)
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...