Getting Data In

Redirecting logs to 3party only for One index

nikk
Engager

Hi, 

I am trying to redirect logs only for a specified index of mine to 3rd party. But The target destination is receiving all possible logs. 

My input.conf contains several index for testing purposed. 

 

inputs.conf

[udp://514]
sourcetype = syslog
index = custom_index

[tcp://127.0.0.1:514]
sourcetype = syslog
index = main

[tcp://127.0.0.1:515]
sourcetype = tcp_logs
index = tcp_custom

 

my props: 

 

[tcp_logs] // source type stanze from what I've found in the documentaiton.
TRANSFORMS-indexAndForward = forward_to_third_party

 

transforms.conf

 

[forward_to_third_party]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = my_third_party_destination

 

and output.conf

 

[tcpout]
indexAndForward = true
defaultGroup = my_third_party_destination

[tcpout:my_third_party_destination]
server = 0.0.0.0:9000
sendCookedData = false

 

could you please advice? 

Thanks 

0 Karma
1 Solution

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

View solution in original post

0 Karma

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as @caiosalonso said, by default all events have sent to defaultGroup output. That should be definition of your normal splunk indexer. Add that definition here and then use my_… as you have defined for those which you are sending to 3rd party receiver.

r. Ismo

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...