Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I replicate a subset of the data to a non-Splunk destination?

Alan_Bradley
Path Finder
‎02-22-2010 07:23 PM

I need to do the following on my forwarder:

  1. Forward all data received and gathered by the forwarder to Splunk indexer
  2. Replicate subset of the data, based on a source or sourcetype, to a 3rd party server

Can someone share a basic configuration example?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

matt
Splunk Employee
Splunk Employee
‎02-23-2010 12:28 AM

This will send a cooked data stream to the indexer (10.1.12.1:9997) and a second smaller uncooked tcp stream to the third party (10.1.12.2:1234). If you need the second stream to be syslog out then you will need to shift that work to the indexer.

props.conf

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=10.1.12.1:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=10.1.12.2:1234

View solution in original post

Reply
Solved! Jump to solution
Solution

matt
Splunk Employee
Splunk Employee
‎02-23-2010 12:28 AM

This will send a cooked data stream to the indexer (10.1.12.1:9997) and a second smaller uncooked tcp stream to the third party (10.1.12.2:1234). If you need the second stream to be syslog out then you will need to shift that work to the indexer.

props.conf

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=10.1.12.1:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=10.1.12.2:1234
Reply
Get Updates on the Splunk Community!

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...

Customer Experience | Call for Stories: Your 2023 Journey with Splunk!

Share your Splunk journey: Splunk is committed to supporting our customers toward success. As the year draws ...

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...