Hi Splunkers,
my colleague and I are going to perform, this week, a change to forward data from Splunk HF to a third party system, in this case a UEBA product. In this scenario, we have to forward not all data, but only some subsets.
How to perform this is well explained in the official doc, here , so the purpose of my post is not to understand how to do this.
Reading the guide, I found some point that are not completely clear, so I kindly ask you to help me to understand.
- Paragraph "Forward a set of data"; inside the file
transforms.conf
we need to insert the following dest key:
DEST_KEY=_TCP_ROUTING
Do we need this because we are performing a tcp forwarding, as stated in the file
outputs.conf
with stanza
[tcpout]
? I mean, all times I need to perform a tcp forwarding, I must use always a stanza "tcpoutput" and I need a dest_key like the above one in case of data subsets?
- What about if I need to perform a UDP forwarding? is it possible? If yes, How should I change stanzas in files?
I mean, I can see that using syslog I could achieve this, but what about if I cannot/I don't want to use it?
