Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to send syslog data to the indexer and another TCP listener? (Part 3)

Log_wrangler
Builder
‎12-27-2017 07:16 AM

Hi All,

Thank you for the assistance so far.

I just want to confirm my understanding and ask a follow-up REGEX question in regards to [routeAll] and [routeSubset].

So if I edit the following:
Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing <----- setting defaultGroup to "nothing" defines that default group is receiving nothing?

As directed with the following stanzas (below):
"everything" (old and new source feeds) goes to the indexer(s)
"subsidiary" goes only to 3rd party TCP receiver....

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

Is that correct ???

Question:
I am in the staging phase, so I have not had a chance to test a regex for the following:

Please advise how to write the REGEX for the [routeAll] to send all data to indexer(s); and how to write the REGEX for the [routeSubset] to only send uncooked data to the 3rd party TCP receiver.

I need an example if possible.,

For example, REGEX=(SYSTEM|CONFIG|THREAT), how did the author determine this is the correct expression???

[routeAll]
REGEX=(.)<--------- This is where I would specify all data would continue to the indexer(s)?
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

Any documentation on this is appreciated.

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-27-2017 08:27 AM

Hi @Log_wrangler,

If you want to send all data (Assuming multiple sourcetypes) are sending data to HF and HF to IDX then you can do following configuration.

outputs.conf

[tcpout]
defaultGroup=Everything

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

props.conf for only those sourcetype for which you want to transfer data to 3rd party server.

[yoursourcetype]
TRANSFORMS-routesubset = routesubsetdata

transforms.conf, in below configuration if your event contains SYSTEMS OR CONFIG OR THREAT word then those event will route to 3rd party but those events goes to Indexers as well due to defaultGroup=Everything. So based on your requirement you can create regex or if you need help then you can ask new question with some sample data for regex.

[routesubsetdata]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎12-27-2017 08:27 AM

Hi @Log_wrangler,

If you want to send all data (Assuming multiple sourcetypes) are sending data to HF and HF to IDX then you can do following configuration.

outputs.conf

[tcpout]
defaultGroup=Everything

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234

props.conf for only those sourcetype for which you want to transfer data to 3rd party server.

[yoursourcetype]
TRANSFORMS-routesubset = routesubsetdata

transforms.conf, in below configuration if your event contains SYSTEMS OR CONFIG OR THREAT word then those event will route to 3rd party but those events goes to Indexers as well due to defaultGroup=Everything. So based on your requirement you can create regex or if you need help then you can ask new question with some sample data for regex.

[routesubsetdata]
REGEX=(SYSTEM|CONFIG|THREAT)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary

I hope this helps.

Thanks,
Harshil

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-27-2017 10:42 AM

Thank you for the clarification.

What happens if the following is in place?

[tcpout]
defaultGroup=nothing

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎12-27-2017 07:05 PM

If you give defaultGroup=nothing in that case you need to configure props.conf and transforms.conf to route those data to Indexer and 3rd party system as given by you in question. But you need to do same configuration for all sourcetypes otherwise sourcetypes which are not configured to routeall data to Indexers will be dropped on HF.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-28-2017 12:09 PM

Thank you, that is what I was concerned about....

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...