Need a little help as I have not set this up before.
Here is my scenario.
I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination.
I want the data to go to splunk (cooked), but I want the data to go to the other destination (uncooked).
Please advise the best way to configure this.
Thank you
You can refer to following Splunk documentation to learn about Splunk routing.
The example in above post sends all data to Indexer and selected data to third party. If you want to send all data to both Indexers and third party system, you'd use just routeAll.
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything
To send the uncooked data to third party, you'd set sendCookedData to false in outputs.conf entry for third party system.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd
You can refer to following Splunk documentation to learn about Splunk routing.
The example in above post sends all data to Indexer and selected data to third party. If you want to send all data to both Indexers and third party system, you'd use just routeAll.
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything
To send the uncooked data to third party, you'd set sendCookedData to false in outputs.conf entry for third party system.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd
Thank you, I will take a look.
So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:
Edit $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS-routing = routeAll <----- do I need route subset if I am sending all to both?
Edit $SPLUNK_HOME/etc/system/local/transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app
Does that look right?
Thanks
Hey @log_wrangler (sweet username!) your comment is posted now! The submissions were in the mod queue. Sorry if that was frustrating. If you get 6 more karma points your posts will only be moderated if they meet the other standard criteria. (30 points). Actually, I'll upvote your comment so you're in the clear. 🙂
Please post my second part question
How to send syslog data to the indexer and another TCP listener? (Part 2)
It is "awaiting moderation".
Thank you
@lfedak, Thank you for the upvote. Can you please post my (Part 2) question when you have time?
Thank you
Your props.conf looks correct (your just routeAll since you're sending all data)
Your transforms.conf needs correction. The FORMAT should include both the tcpout group as you want to copy the data to both destination (Everything for your indexer and Subsidiary for your third party app).
Thank you Somesoni!! If you don't mind... I actually created a part 2 question. Please take a look at that question. There is an additional criterion to my scenario. Thank you