Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Redirecting logs to 3party only for One index

nikk
Engager
‎07-24-2023 02:08 AM

Hi, 

I am trying to redirect logs only for a specified index of mine to 3rd party. But The target destination is receiving all possible logs. 

My input.conf contains several index for testing purposed. 

 

inputs.conf

[udp://514]
sourcetype = syslog
index = custom_index

[tcp://127.0.0.1:514]
sourcetype = syslog
index = main

[tcp://127.0.0.1:515]
sourcetype = tcp_logs
index = tcp_custom

 

my props: 

 

[tcp_logs] // source type stanze from what I've found in the documentaiton.
TRANSFORMS-indexAndForward = forward_to_third_party

 

transforms.conf

 

[forward_to_third_party]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = my_third_party_destination

 

and output.conf

 

[tcpout]
indexAndForward = true
defaultGroup = my_third_party_destination

[tcpout:my_third_party_destination]
server = 0.0.0.0:9000
sendCookedData = false

 

could you please advice? 

Thanks 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎07-25-2023 09:01 AM

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎07-25-2023 09:01 AM

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2023 09:53 AM

Hi

as @caiosalonso said, by default all events have sent to defaultGroup output. That should be definition of your normal splunk indexer. Add that definition here and then use my_… as you have defined for those which you are sending to 3rd party receiver.

r. Ismo

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...