Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexed data from splunk server to syslog server(udp 514)

cleelakrishna
Loves-to-Learn
‎06-14-2017 07:48 AM

i'm able to send all the cooked data to syslog server by configuring outputs.conf.

but currently my requirement was to send cooked data by filtering based on INDEX. (index=watson) . is there any thing to change the configarations.

props.conf
[index::watson]
TRANSFORMS-watson = wat_to_syslog

transforms.conf
[wat_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = wat_syslog_group

outputs.conf
[syslog]
defaultGroup=wat_syslog_group

[syslog:wat_syslog_group]
server = splunk-syslog.XXXX.com:514
type=udp

Tags (1)
0 Karma
Reply

anand_singh17
Path Finder
‎07-28-2017 03:57 AM

There is no options yet, where Indexer to be used as Heavy Forwarder and forward data.

I too had the same requirement, but it did not work.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-20-2017 08:59 AM

props.conf doesn't support [index::watson] like that.

If you want to route all the data in the index, you have to set the routing on all the sourcetypes in that index. Unless you have a really good reason for this, I wouldn't do it. BUT if it is a requirement, then go for it, just know that props cannot be applied to index.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Propsconf

You could filter by index by updating the transforms to this: 

[wat_to_syslog]
SOURCE_KEY = MetaData:Index
REGEX = watson
DEST_KEY = _SYSLOG_ROUTING
FORMAT = wat_syslog_group
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-16-2017 11:31 AM

cleelakrishna,

If this answer by alacercogitatus resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-17-2017 03:42 PM

I'm not sure anyone understands what the question actually is.

You have a splunk data collector (UF, HF, full install, whatever) that is reading data and sending it to Splunk. You want to do what exactly with that data?

It seems most likely that you are trying to duplicate anything that comes in to a certain index to a syslog output?

Can you describe this situation more fully? Like, describe a particular event as it travels through the system. Here's a start, please correct it or change it as necessary and add detail as appropriate: it gets read off the disk by the UF installed on the source machine, whose outputs.conf send it to machine Y, my main Splunk Indexer... At that time I want to, on anything that comes in to index watson, also send that to a syslog machine.

Thanks,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...