Forwarding only parts of license_usage.log

ssauler · ‎09-29-2016

I'm struggling to forward only parts of Splunk's license_usage.log. Please consider the following config and tell me whether I'm misunderstanding something. The splunkd.log keeps silent about this and I don't know how to troubleshoot it. Many thanks!

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set = setnull,routeSubset

#transforms.conf
[setnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[routeSubset]
REGEX=cust_pool01
DEST_KEY=_TCP_ROUTING

#outputs.conf
[tcpout]
disabled=false
sendCookedData=false
server=<receiver>:<port>

ssauler · ‎09-29-2016

I ended up with this as a seemingly working version

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set=routeSubset

#transforms.conf
[routeSubset]
REGEX= cust_pool01
DEST_KEY= _TCP_ROUTING
FORMAT= Subsidiary

#outputs.conf
[tcpout]
defaultGroup=nullGroup
indexAndForward=1

[tcpout:nullGroup]
disabled=true
server=0.0.0.0:0000

[tcpout:Subsidiary]
disabled=false
sendCookedData=true
server=<server>:<ip>

Forwarding only parts of license_usage.log

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Forwarding only parts of license_usage.log

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits