Forwarding only parts of license_usage.log

ssauler · ‎09-29-2016

I'm struggling to forward only parts of Splunk's license_usage.log. Please consider the following config and tell me whether I'm misunderstanding something. The splunkd.log keeps silent about this and I don't know how to troubleshoot it. Many thanks!

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set = setnull,routeSubset

#transforms.conf
[setnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[routeSubset]
REGEX=cust_pool01
DEST_KEY=_TCP_ROUTING

#outputs.conf
[tcpout]
disabled=false
sendCookedData=false
server=<receiver>:<port>

ssauler · ‎09-29-2016

I ended up with this as a seemingly working version

#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set=routeSubset

#transforms.conf
[routeSubset]
REGEX= cust_pool01
DEST_KEY= _TCP_ROUTING
FORMAT= Subsidiary

#outputs.conf
[tcpout]
defaultGroup=nullGroup
indexAndForward=1

[tcpout:nullGroup]
disabled=true
server=0.0.0.0:0000

[tcpout:Subsidiary]
disabled=false
sendCookedData=true
server=<server>:<ip>

Forwarding only parts of license_usage.log

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Forwarding only parts of license_usage.log

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...