Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure forwarder to filter and forward data to a third party system?

premg
Engager
‎08-19-2014 07:32 AM

We need to forward data to a third party system.
I would need to forward all data with sourcetype as *_syslog to the third party system via UDP.
I need to forward data to third party system before indexing the data.

so in heavyforwarder props.conf
[sourcetype::*_syslog]
TRANSFORMS-routingxxxx=routeToxxxxxxx

in transforms.conf
[routeToxxxxxxx]
REGEX=(.)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=outputs_xxxxxxx

in outputs.conf
[syslog:outputs_xxxxxxx]
syslogSourceType=syslog
server=ip
type=udp

The above setting is not sending any data to the third party system.
Please suggest is there is any error in the above configurations.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-19-2014 10:59 PM

Hi premg,

make sure your sourcetype matches exactly and your regex (.) looks strange. I assume you want to match everything ( equal to . in regex ) but your regex is matching (.) .. try using a single dot like . instead in transforms.conf.

hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...