Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs with parameter INDEXED_EXTRACTIONS on UF could no be forwarded from indexer via syslog

ludoz13
Path Finder
‎12-07-2017 03:27 AM

Hello splunker,

I have some trouble to forward data to third-party systems via syslog.
All logs are forwarded via syslog except one where parameter INDEXED_EXTRACTIONS is set on a uf.
I share my configuration to explaint you my problem :

UF :
inputs :
[monitor://c:\tmp\logs.csv]
sourcetype = fileshared

props:
[fileshared]

KV_MODE=none
INDEXED_EXTRACTIONS=csv

INDEXER :

props:
[fileshared]
TRANSFORMS-syslog = send_to_syslog

transfoms:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs:
[syslog:my_syslog_group]
server = loghost.example.com:514

Logs with sourcetype fileshared are indexed as expected (fields and logs indexed) but there are not forwarded via syslog
All others logs from this uf without INDEXED_EXTRACTIONS parameter are indexed and forwarded via syslog

On Splunk documentation, I see that :

When you forward structured data to an indexer, it is not parsed when it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following pipelines on the indexer, which precludes any parsing of that data on the indexer:

I understand that Is not possible to set parsing and transformation on indexer for sourcetype with INDEXED_EXTRACTION paramater . Do you know if there is a way to forward this kind of data without another method ?

Thanks for your help,

Regards,

Reply

vince2010091
Path Finder
‎12-07-2017 03:03 PM

Hi Ludoz13,

maybe REGEX = .*

Bye

0 Karma
Reply

ludoz13
Path Finder
‎12-13-2017 05:10 AM

Hi vince,

I reuse the same regex mentioned in the documentation
it not the problem but thanks for your help

Bye

0 Karma
Reply

sbbadri
Motivator
‎12-07-2017 07:51 AM

@ludoz13

try this,

UF :
inputs :
[monitor://c:\tmp\logs.csv]
sourcetype = fileshared
props:
[fileshared]
KV_MODE=none
INDEXED_EXTRACTIONS=csv

INDEXER :

props:
[fileshared]
TRANSFORMS-routing=syslogRouting

transfoms:
[syslogRouting]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=syslogGroup

outputs:
[tcpout:syslogGroup]
server = loghost.example.com:514

For further details, please check the below link,
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad

0 Karma
Reply

ludoz13
Path Finder
‎12-13-2017 05:18 AM

Hi ssbadri,

Thanks for your help,
Unfortunenelty, this does not work.

In my understanding, the setting "[fileshared] TRANSFORMS-routing=syslogRouting" is not read on the indexer because of INDEXED_EXTRACTIONS paramater.

I think that the only way is either removing INDEXED_EXTRACTIONS parameter or either using forwardedindex.0.whitelist option to select only indexes I want to forward data

I am taking all others ideas 🙂

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...