Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to send syslog data to the indexer and another TCP listener? (Part 3)

Log_wrangler
Builder
‎12-27-2017 07:16 AM

Hi All,

Thank you for the assistance so far.

I just want to confirm my understanding and ask a follow-up REGEX question in regards to [routeAll] and [routeSubset].

So if I edit the following:
Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing <----- setting defaultGroup to "nothing" defines that default group is receiving nothing?

As directed with the following stanzas (below):
"everything" (old and new source feeds) goes to the indexer(s)
"subsidiary" goes only to 3rd party TCP receiver....

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

Is that correct ???

Question:
I am in the staging phase, so I have not had a chance to test a regex for the following:

Please advise how to write the REGEX for the [routeAll] to send all data to indexer(s); and how to write the REGEX for the [routeSubset] to only send uncooked data to the 3rd party TCP receiver.

I need an example if possible.,

For example, REGEX=(SYSTEM|CONFIG|THREAT), how did the author determine this is the correct expression???

[routeAll]
REGEX=(.)<--------- This is where I would specify all data would continue to the indexer(s)?
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

Any documentation on this is appreciated.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-27-2017 08:27 AM

Hi @Log_wrangler,

If you want to send all data (Assuming multiple sourcetypes) are sending data to HF and HF to IDX then you can do following configuration.

outputs.conf

[tcpout]
defaultGroup=Everything

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

props.conf for only those sourcetype for which you want to transfer data to 3rd party server.

[yoursourcetype]
TRANSFORMS-routesubset = routesubsetdata

transforms.conf, in below configuration if your event contains SYSTEMS OR CONFIG OR THREAT word then those event will route to 3rd party but those events goes to Indexers as well due to defaultGroup=Everything. So based on your requirement you can create regex or if you need help then you can ask new question with some sample data for regex.

[routesubsetdata]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-27-2017 08:27 AM

Hi @Log_wrangler,

If you want to send all data (Assuming multiple sourcetypes) are sending data to HF and HF to IDX then you can do following configuration.

outputs.conf

[tcpout]
defaultGroup=Everything

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

props.conf for only those sourcetype for which you want to transfer data to 3rd party server.

[yoursourcetype]
TRANSFORMS-routesubset = routesubsetdata

transforms.conf, in below configuration if your event contains SYSTEMS OR CONFIG OR THREAT word then those event will route to 3rd party but those events goes to Indexers as well due to defaultGroup=Everything. So based on your requirement you can create regex or if you need help then you can ask new question with some sample data for regex.

[routesubsetdata]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

I hope this helps.

Thanks,
Harshil

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-27-2017 10:42 AM

Thank you for the clarification.

What happens if the following is in place?

[tcpout]
defaultGroup=nothing

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-27-2017 07:05 PM

If you give defaultGroup=nothing in that case you need to configure props.conf and transforms.conf to route those data to Indexer and 3rd party system as given by you in question. But you need to do same configuration for all sourcetypes otherwise sourcetypes which are not configured to routeall data to Indexers will be dropped on HF.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-28-2017 12:09 PM

Thank you, that is what I was concerned about....

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...