Hi Splunkers,

today I'm here not for an issue, or better, not yet, but to "pull all togheter" the components of my task, which is forwarding Splunk data from HF to another system, an Exabeam UEBA in my case. I'm trying to prevent possibile errors I could do in changing the required files, so I may want perform a check here with you to understand if I got all I need from docs. Let me give you more context and introduce the current state.

• The Splunk environment installation and setup has not been performed by my team, but by another one
• That team has not created an outputs.conf file in SPLUNK_HOME/etc/system/local; they created each outputs.conf they required in a separate folder under the SPLUNK_HOME/etc/app one. So at this time we have a lot of outputs.conf files, but no one under SPLUNK_HOME/etc/system/local. At the same time, no props.conf and transforms.conf are present under SPLUNK_HOME/etc/system/local
• We must forward only a subset of data via syslog and we have to filter them with sourcetypes
• We have 2 destination syslog servers balanced by a Load Balancer, so we have to send data to LB VIP
• We are using syslog but, for some reason, we will not use the default UDP; we are going to use syslog via TCP
• I have no direct access to Splunk HF; the task is going to be performed with colleagues that have this access. I'm in charge of editing the required files and pass them to my colleagues, that will upload them on HF.

Which documentation we used? Those one:

Forward data to third-party systems 
Route and filter data 

Plus I searched other symylar topics here on community and tried to got some results.

So, putting all data togheter, we stated that, because there are not the outputs.conf, props.conf and transforms.conf files in $SPLUNK_HOME/etc/system/local, we must:

• create outputs.conf,  props.conf and transforms.conf under $SPLUNK_HOME/etc/system/local folder
• populate them following docs

If the above assumptions are right, I have some doubts about the files, because some docs points are not complete clear for me. So, suppose we want to to start forward only a subset of Windows EventID with syslog tcp; are the below conf files ok?

outpust.conf:

[syslog:syslogToExabeamGroup]
type = tcp
server = <ipaddress>:<port>

Note that, cause I have to forward only a subset of data, I avoided the defaultGroup settings, like in the sample of Forward data to third-party systems docs.

props.conf:

[<windows_sourcetype_name>]
TRANSFORMS-routing1 = syslog_from_win_to_exabeam

Here I used directly the souretype name and not the syntax sourcetype::<sourcetype_name>; is it correct? Plus, even if in Forward data to third-party systems docs I have the syntax like TRANSFORMS-whatever_you_want, I followd what stated in Route and Filter Data and used a syntax like TRANSFORMS-routingX.

transforms.conf:

[syslog_from_win_to_exabeam]
REGEX = EventID\>(4624|4625|4648|4672|4720|4722|4723|4724|4725|4726|4728|4729|4732|4733|4740|4756|4757|4767|4768|4769|4770|4771|4776|4780|1102|4611|4663|4673|4674|4688|4697|4698|4719|4778|4779|4780|4800|4801|5136|5137|5138|5139|5140|5141|5145|6272)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogToExabeamGroup

The regex has been built based on our logs (we are receiving them in XML format).

It seems all ok but I'm not sure I forgot/done bad some configuration.