Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarding only parts of license_usage.log

ssauler
New Member
‎09-29-2016 02:24 AM

I'm struggling to forward only parts of Splunk's license_usage.log. Please consider the following config and tell me whether I'm misunderstanding something. The splunkd.log keeps silent about this and I don't know how to troubleshoot it. Many thanks!

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set = setnull,routeSubset

#transforms.conf
[setnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[routeSubset]
REGEX=cust_pool01
DEST_KEY=_TCP_ROUTING

#outputs.conf
[tcpout]
disabled=false
sendCookedData=false
server=<receiver>:<port>
0 Karma
Reply

ssauler
New Member
‎09-29-2016 05:16 AM

I ended up with this as a seemingly working version

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set=routeSubset

#transforms.conf
[routeSubset]
REGEX= cust_pool01
DEST_KEY= _TCP_ROUTING
FORMAT= Subsidiary

#outputs.conf
[tcpout]
defaultGroup=nullGroup
indexAndForward=1

[tcpout:nullGroup]
disabled=true
server=0.0.0.0:0000

[tcpout:Subsidiary]
disabled=false
sendCookedData=true
server=<server>:<ip>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...