Is it possible to configure a Heavy Forwarder to s...

mjdozza · ‎01-27-2015

In short I have a heavy forwarder that is receiving a bunch of data from a syslog feed. The forwarder will then send the data to my indexer group specified in outputs.conf. I also want to forward a subset of this data to 3rd party application on a different server as well. Fortunately this subset of data is coming from the same host.

I have tried a configuration with props.conf and transforms.conf to route the data from this specific host. I then didn't see this subset of data on my indexers. So would it be possible to have this subset of data be filtered and routed on the Heavy forwarder to a 3rd party application and at the same time sent to an index on my indexer group?

dhorn · ‎01-27-2015

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Configureforwarderswithoutputs.confd#Da...

aakwah · ‎01-27-2015

I think if you create a separate monitor stanza in inputs.conf and tcpout/syslog in outputs.conf for the subset data and apply filtering on it it will work, as per the below example audit logs is indexed by splunk and on the same time sent to syslog server.

inputs.conf

[monitor://$SPLUNK_HOME/var/log/splunk/audit.log*]
_SYSLOG_ROUTING = syslog-out1

outputs.conf

[syslog]
defaultGroup = syslog-out1
[syslog:syslog-out1]
disabled = false
server = x.x.x.x:514
type = tcp

Regards,
Ahmed Elakwah

Is it possible to configure a Heavy Forwarder to send data to Indexers AND to a 3rd party server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation