Getting Data In

How can I configure routing that sends specific logs to only 514 and other logs to 9997?

Builder

I want to configure routing that sends specific logs(syslog_test) to only 514 and other logs to 9997, so I edited props.conf, transforms.conf,outputs.conf of HF like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

outputs.conf

[tcpout]
defaultGroup=everythingElseGroup
[tcpout:everythingElseGroup]
server=Indexer's IP:9997
[syslog:syslogGroup]
server=Indexer's IP:514 

But HF forwards syslog_test to 514 and 9997.
What is wrong? Could anyone tell me?

0 Karma
1 Solution

Builder

I can do it by changing props.conf and transforms.conf like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting,tcpnull
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
[tcpnull]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=

View solution in original post

0 Karma

Builder

I can do it by changing props.conf and transforms.conf like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting,tcpnull
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
[tcpnull]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!