Getting Data In

How to configure forwarder to filter and forward data to a third party system?

premg
Engager

We need to forward data to a third party system.
I would need to forward all data with sourcetype as *_syslog to the third party system via UDP.
I need to forward data to third party system before indexing the data.

so in heavyforwarder props.conf
[sourcetype::*_syslog]
TRANSFORMS-routingxxxx=routeToxxxxxxx

in transforms.conf
[routeToxxxxxxx]
REGEX=(.)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=outputs_xxxxxxx

in outputs.conf
[syslog:outputs_xxxxxxx]
syslogSourceType=syslog
server=ip
type=udp

The above setting is not sending any data to the third party system.
Please suggest is there is any error in the above configurations.

0 Karma

MuS
Legend

Hi premg,

make sure your sourcetype matches exactly and your regex (.) looks strange. I assume you want to match everything ( equal to . in regex ) but your regex is matching (.) .. try using a single dot like . instead in transforms.conf.

hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...