Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Index all and selective forward
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index all and selective forward
Hi all. I need some help to index all data coming into one server and only forward 3 sourcetypes to a 2nd server. Receiving and indexing the data is not a problem, but I cannot seem to get the 3 sourcetypes to the 2nd server. Any help would be appreciated.
My props.conf
[cisco:asa]
TRANSFORMS-routing=gsoc
[icsp]
TRANSFORMS-routing=gsoc
[syslog]
TRANSFORMS-routing=gsoc
transforms.conf
[gsoc]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=gsocPrimary
and outputs.conf
[tcpout]
defaultGroup=nothing
indexAndForward=true
[tcpout:gsocPrimary]
server=*.*.*.*:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Adevill,
Are you trying to forward the data from HF?
The connectivity between source and destination is exist?
Try the below outputs
[tcpout]
defaultGroup=none
indexAndForward=true
[tcpout:gsocPrimary]
server=*.*.*.*:9997
And why are using the 9997 port why can't use a port like 514?
The 9997 port is already is used to get the data from the forwarder to an indexer. Don't use the same port for two different activities.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Vardhan
Yes, I'm trying to forward from HF to a test server at the moment, that's why the port 9997 doesn't matter now, but you are correct, I would have chosen a different one for deployment. Connectivity is not a problem as I can forward all data to the 2nd server, but it fails when trying to filter for only the 3 sourcetypes. The solution you suggested also didn't work unfortunately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Adevill just give a try by keeping seperate stanza's in transform.conf.
props
[cisco:asa]
TRANSFORMS-routing=gsoc1
[icsp]
TRANSFORMS-routing=gsoc2
[syslog]
TRANSFORMS-routing=gsoc3
[gsoc1]
REGEX=(.*)
DEST_KEY=_TCP_ROUTING
FORMAT=gsocPrimary
[gsoc2]
REGEX=(.*)
DEST_KEY=_TCP_ROUTING
FORMAT=gsocPrimary
[gsoc3]
REGEX=(.*)
DEST_KEY=_TCP_ROUTING
FORMAT=gsocPrimary
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Vardhan
Unfortunately it's also not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Adevill Can u try with one source type first and check the result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Vardhan
Even if I try just 1 sourcetype it doesn't work.
I've then removed the forwarding, then re-enabled it for all tags, which worked, then changed to a single sourcetype again which failed then again. Any other ideas?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
