Getting Data In

How to configure forwarder to filter and forward data to a third party system?

premg
Engager

We need to forward data to a third party system.
I would need to forward all data with sourcetype as *_syslog to the third party system via UDP.
I need to forward data to third party system before indexing the data.

so in heavyforwarder props.conf
[sourcetype::*_syslog]
TRANSFORMS-routingxxxx=routeToxxxxxxx

in transforms.conf
[routeToxxxxxxx]
REGEX=(.)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=outputs_xxxxxxx

in outputs.conf
[syslog:outputs_xxxxxxx]
syslogSourceType=syslog
server=ip
type=udp

The above setting is not sending any data to the third party system.
Please suggest is there is any error in the above configurations.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi premg,

make sure your sourcetype matches exactly and your regex (.) looks strange. I assume you want to match everything ( equal to . in regex ) but your regex is matching (.) .. try using a single dot like . instead in transforms.conf.

hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...