Getting Data In

How to configure forwarder to filter and forward data to a third party system?

premg
Engager

We need to forward data to a third party system.
I would need to forward all data with sourcetype as *_syslog to the third party system via UDP.
I need to forward data to third party system before indexing the data.

so in heavyforwarder props.conf
[sourcetype::*_syslog]
TRANSFORMS-routingxxxx=routeToxxxxxxx

in transforms.conf
[routeToxxxxxxx]
REGEX=(.)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=outputs_xxxxxxx

in outputs.conf
[syslog:outputs_xxxxxxx]
syslogSourceType=syslog
server=ip
type=udp

The above setting is not sending any data to the third party system.
Please suggest is there is any error in the above configurations.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi premg,

make sure your sourcetype matches exactly and your regex (.) looks strange. I assume you want to match everything ( equal to . in regex ) but your regex is matching (.) .. try using a single dot like . instead in transforms.conf.

hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...