Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forward data into 3rd party systems using index instead of host?

christantoy
Path Finder
‎10-11-2012 09:21 PM

Good day

i Read this document regarding to the forward data to third-party systems

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd#Forward_s...

and my question is can i forward my created index? instead of host?

For example

props.conf

to this 

  [host::nyc*]
    TRANSFORMS-nyc = send_to_syslog

Into this

 [index::sample]
    TRANSFORMS-sample = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

output.conf

[syslog:my_syslog_group]
server = loghost.example.com:514

In short i would like to send the contents of the index into other non-splunk systems

Regards
Cris

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-11-2012 11:30 PM

Yes. While you can't match against index directly in the stanza, you can put in a default section and then match it in a regex instead by using SOURCE_KEY.

props.conf:

[default]
TRANSFORMS-sampleindex = send_sample_index_to_syslog

transforms.conf:

[send_sample_index_to_syslog]
SOURCE_KEY = _MetaData:Index
REGEX = ^sample$
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-11-2012 11:30 PM

Yes. While you can't match against index directly in the stanza, you can put in a default section and then match it in a regex instead by using SOURCE_KEY.

props.conf:

[default]
TRANSFORMS-sampleindex = send_sample_index_to_syslog

transforms.conf:

[send_sample_index_to_syslog]
SOURCE_KEY = _MetaData:Index
REGEX = ^sample$
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
Reply
Solved! Jump to solution

christantoy
Path Finder
‎10-12-2012 12:39 AM

Hi again Ayn

can i create a conf file? for output.conf and the other instead? it will work if i do that?

Thanks and Regards
Cris

0 Karma
Reply
Solved! Jump to solution

christantoy
Path Finder
‎10-12-2012 12:05 AM

Thank you again!

Forget about the second question. 🙂

BTW my outputs.conf is that correct? do i need to used that?

Regards
Cris

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-11-2012 11:52 PM

The [default] section can be put in the same props.conf file as other settings you would want to apply. Where it resides doesn't really matter as long as it's in a location where Splunk is seeing and using it.

Re your second question, I'm afraid I don't entirely understand what you mean.

0 Karma
Reply
Solved! Jump to solution

christantoy
Path Finder
‎10-11-2012 11:50 PM

Thanks for you answer

But you said that i can put in a default section?
on here splunk > etc > system > default ? i am right?

and but the way i am not much familiar with regex can i done with a default?

Regards Cris

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top