Getting Data In

How to configure forwarder to filter and forward data to a third party system?

premg
Engager

We need to forward data to a third party system.
I would need to forward all data with sourcetype as *_syslog to the third party system via UDP.
I need to forward data to third party system before indexing the data.

so in heavyforwarder props.conf
[sourcetype::*_syslog]
TRANSFORMS-routingxxxx=routeToxxxxxxx

in transforms.conf
[routeToxxxxxxx]
REGEX=(.)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=outputs_xxxxxxx

in outputs.conf
[syslog:outputs_xxxxxxx]
syslogSourceType=syslog
server=ip
type=udp

The above setting is not sending any data to the third party system.
Please suggest is there is any error in the above configurations.

0 Karma

MuS
Legend

Hi premg,

make sure your sourcetype matches exactly and your regex (.) looks strange. I assume you want to match everything ( equal to . in regex ) but your regex is matching (.) .. try using a single dot like . instead in transforms.conf.

hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...