Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure a heavy forwarder to route some of the data to syslog+nullqueue, and rest to index?

sarit_s
Communicator
‎05-04-2016 01:54 AM

We are trying to configure a heavy forwarder to route some of the data to syslog+nullqueue, and index the rest of the data.

I tried to use props + transforms to route the desired regex to syslog+null queue.
Issue is, when events go to nullqueue, they do not go to syslog at all.
Is there any way to send to syslog while not indexing?

Here is what I configured in props.conf, transforms.conf:

Sourcetype: BES
Regex to route to syslog: *INFO
All the other events should be indexed.

props.conf
[BES]
TRANSFORMS-bes-syslog=send_to_syslog_bes,nullqueue_bes

transforms.conf
[nullqueue_bes]
REGEX = *INFO
DEST_KEY = queue
FORMAT = nullQueue

[send_to_syslog_bes]
REGEX = *INFO
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogforward_bes

outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://indexer01:9997]

[tcpout-server://indexer02:9997]

[tcpout:default-autolb-group]
disabled = false
server = indexer01:9997,indexer02:9997

[syslog:syslogforward_bes]
server = x.x.x.x:523
timestampformat = %Y-%m-%dT%H:%M:%S.%3N

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-04-2016 05:48 AM

Youll want to use these in inputs.conf:

_SYSLOG_ROUTING = primarySyslogs
_TCP_ROUTING = somethingThatDoesntExistInOutputsConf

And then you'll have something like this in your outputs.conf:

[syslog]
defaultGroup=primarySyslogs

[syslog:primarySyslogs]
server = 10.1.1.197:514

https://answers.splunk.com/answers/54086/inputs-conf-syslog-routing-only.html

Your configuration may need to vary slightly. Perhaps you want specific events sent to syslog, others indexed, etc. I recommend that you read the docs very carefully and test before implementing in production if possible:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Outputsconf
http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf

If you need to parse out specific events for syslog and index others,... you'll need to look into transforms.conf and props.conf as well

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...