Hi Gang -
I know this question has been asked and answered several times, but I could not fix my problem. Could someone please help me out
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat inputs.conf
[monitor:///var/log/syslog]
host = splunk_indx
sourcetype = syslog
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat outputs.conf
[tcpout:syslog]
server = 54.169.86.31:514
sendCookedData = false
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat props.conf
[syslog]
TRANSFORMS-forward = syslogTcpOut
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat transforms.conf
[syslogTcpOut]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=syslog
root@ip-172-31-26-78:/opt/splunk/etc/system/local#
BTW, I have referred this post https://answers.splunk.com/answers/65818/forward-data-to-a-third-party-system.html
Thank you so much!!!
Hi satishsdange,
I recomend you to change this in your configuration
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat outputs.conf
[tcpout:syslog_forward]
server = 54.169.86.31:514
sendCookedData = false
root@ip-172-31-26-78:/opt/splunk/etc/system/local# cat transforms.conf
[syslogTcpOut]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=syslog_forward
Hope i help you.
Unfortunately it did not work.
The props and transforms should be in Heavy Forwarder/Indexers. It seems like you did all these on the forwarder itself. (read comment#4 on the reference answer)
Config is from indexer.
Any taker for this question?