Getting Data In
Highlighted

How to send syslog data to the indexer and another TCP listener? (Part 2)

Builder

my scenario:

I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.

I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.

Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).

So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:

Edit $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS-routing = routeAll, routeSubset

Edit $SPLUNK_HOME/etc/system/local/transforms.conf

[routeAll]
REGEX=(.)
DESTKEY=TCP_ROUTING
FORMAT=Everything <-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DESTKEY=TCP_ROUTING
FORMAT=Subsidiary < ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?

Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app

Does that look right?
Thanks

0 Karma
Highlighted

Re: How to send syslog data to the indexer and another TCP listener? (Part 2)

SplunkTrust
SplunkTrust

Hi @Log_wrangler,

Your configuration looks good please let us know if you will face any issue and community members will help you.

View solution in original post

0 Karma
Highlighted

Re: How to send syslog data to the indexer and another TCP listener? (Part 2)

Builder

Thank you for the confirmation. I am in the staging phase right now, have not had a chance to test-run anything yet.

A couple of followup questions,
1) With the current config above, if I have other sources sending syslog data to the indexer then these sources will not be disturbed and will not be accidentally sent to the 3rd party tcp receiver? If I am understanding correctly,

Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing <----- setting defaultGroup to nothing defines that "everything" (old and new) goes to indexer and subsidiary goes to 3rd party??

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

2) Is there any documentation / examples on REGEX for:

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DESTKEY=TCP_ROUTING
FORMAT=Subsidiary

Thank you

0 Karma