Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Logs with parameter INDEXED_EXTRACTIONS on UF ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logs with parameter INDEXED_EXTRACTIONS on UF could no be forwarded from indexer via syslog
Hello splunker,
I have some trouble to forward data to third-party systems via syslog.
All logs are forwarded via syslog except one where parameter INDEXED_EXTRACTIONS is set on a uf.
I share my configuration to explaint you my problem :
UF :
inputs :
[monitor://c:\tmp\logs.csv]
sourcetype = fileshared
props:
[fileshared]
KV_MODE=none
INDEXED_EXTRACTIONS=csv
INDEXER :
props:
[fileshared]
TRANSFORMS-syslog = send_to_syslog
transfoms:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
outputs:
[syslog:my_syslog_group]
server = loghost.example.com:514
Logs with sourcetype fileshared are indexed as expected (fields and logs indexed) but there are not forwarded via syslog
All others logs from this uf without INDEXED_EXTRACTIONS parameter are indexed and forwarded via syslog
On Splunk documentation, I see that :
When you forward structured data to an indexer, it is not parsed when it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following pipelines on the indexer, which precludes any parsing of that data on the indexer:
I understand that Is not possible to set parsing and transformation on indexer for sourcetype with INDEXED_EXTRACTION paramater . Do you know if there is a way to forward this kind of data without another method ?
Thanks for your help,
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ludoz13,
maybe REGEX = .*
Bye
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vince,
I reuse the same regex mentioned in the documentation
it not the problem but thanks for your help
Bye
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this,
UF :
inputs :
[monitor://c:\tmp\logs.csv]
sourcetype = fileshared
props:
[fileshared]
KV_MODE=none
INDEXED_EXTRACTIONS=csv
INDEXER :
props:
[fileshared]
TRANSFORMS-routing=syslogRouting
transfoms:
[syslogRouting]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=syslogGroup
outputs:
[tcpout:syslogGroup]
server = loghost.example.com:514
For further details, please check the below link,
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ssbadri,
Thanks for your help,
Unfortunenelty, this does not work.
In my understanding, the setting "[fileshared] TRANSFORMS-routing=syslogRouting" is not read on the indexer because of INDEXED_EXTRACTIONS paramater.
I think that the only way is either removing INDEXED_EXTRACTIONS parameter or either using forwardedindex.0.whitelist option to select only indexes I want to forward data
I am taking all others ideas 🙂
Thanks,
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
