Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Output syslog to external system

skippylou
Communicator
‎08-19-2010 04:38 PM

So I setup syslog output forwarding per the Splunk docs, but am not seeing anything being sent out nor receiving it on the endpoint.

Here is what I have applied (and have tried w/o a props or transforms just like the example w/o success). This was done on the indexer itself, only light forwarders and tcp syslog servers send data into the indexer.

outputs.conf:

[syslog:webreports_syslog_group]
server = myhostname:514
type = tcp


transforms.conf:

[send_to_webreports]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group


props.conf:

[source::/data/logs/httpd/somesite/access*]
TRANSFORMS-weblog-matrix = send_to_webreports

In the metrics.log I see these entries:

08-19-2010 10:34:04.782 INFO Metrics - group=syslog_connections, webreports_syslog_group:myhostname:514:myhostname:514, sourcePort=8089, destIp=myhostname, destPort=514, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.00, _tcp_Kprocessed=0, _tcp_eps=0.00

So curious what the double hostname is in the group area? Not sure if this matters much as the destIP is probably what is used for the connection. I see the doubling up in that line regardless if i have hostname, fqdn or IP.

Also not sure why I see no data being sent out. External system is accessible on tcp/514 from this splunk server.

Thanks for insight.

scott

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 05:02 PM

I suspect your problem lies in transforms.conf. You appear to be missing REGEX = in your send_to_webreports stanza. You can confirm this by looking for the message REGEX field must be specified tranform_name= in splunkd.log.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 05:02 PM

I suspect your problem lies in transforms.conf. You appear to be missing REGEX = in your send_to_webreports stanza. You can confirm this by looking for the message REGEX field must be specified tranform_name= in splunkd.log.

Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎07-01-2014 05:57 PM

transforms.conf:

[send_to_webreports]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-19-2010 05:22 PM

If you want to match everything, then I recommend just using REGEX = . There is no need to include the star "*". (This should be just slightly more efficient)

Reply
Solved! Jump to solution

skippylou
Communicator
‎08-19-2010 05:11 PM

Thanks! I didn't see any mention of this in the docs, but putting 'REGEX = .*' as part of it worked just perfectly.

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...