Getting Data In

Redirecting logs to 3party only for One index

nikk
Engager

Hi, 

I am trying to redirect logs only for a specified index of mine to 3rd party. But The target destination is receiving all possible logs. 

My input.conf contains several index for testing purposed. 

 

inputs.conf

[udp://514]
sourcetype = syslog
index = custom_index

[tcp://127.0.0.1:514]
sourcetype = syslog
index = main

[tcp://127.0.0.1:515]
sourcetype = tcp_logs
index = tcp_custom

 

my props: 

 

[tcp_logs] // source type stanze from what I've found in the documentaiton.
TRANSFORMS-indexAndForward = forward_to_third_party

 

transforms.conf

 

[forward_to_third_party]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = my_third_party_destination

 

and output.conf

 

[tcpout]
indexAndForward = true
defaultGroup = my_third_party_destination

[tcpout:my_third_party_destination]
server = 0.0.0.0:9000
sendCookedData = false

 

could you please advice? 

Thanks 

0 Karma
1 Solution

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

View solution in original post

0 Karma

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as @caiosalonso said, by default all events have sent to defaultGroup output. That should be definition of your normal splunk indexer. Add that definition here and then use my_… as you have defined for those which you are sending to 3rd party receiver.

r. Ismo

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...