Getting Data In

Forwarding only parts of license_usage.log

ssauler
New Member

I'm struggling to forward only parts of Splunk's license_usage.log. Please consider the following config and tell me whether I'm misunderstanding something. The splunkd.log keeps silent about this and I don't know how to troubleshoot it. Many thanks!

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set = setnull,routeSubset

#transforms.conf
[setnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[routeSubset]
REGEX=cust_pool01
DEST_KEY=_TCP_ROUTING

#outputs.conf
[tcpout]
disabled=false
sendCookedData=false
server=<receiver>:<port>
0 Karma

ssauler
New Member

I ended up with this as a seemingly working version

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set=routeSubset

#transforms.conf
[routeSubset]
REGEX= cust_pool01
DEST_KEY= _TCP_ROUTING
FORMAT= Subsidiary

#outputs.conf
[tcpout]
defaultGroup=nullGroup
indexAndForward=1

[tcpout:nullGroup]
disabled=true
server=0.0.0.0:0000

[tcpout:Subsidiary]
disabled=false
sendCookedData=true
server=<server>:<ip>
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...