Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Redirecting logs to 3party only for One index

nikk
Engager
‎07-24-2023 02:08 AM

Hi, 

I am trying to redirect logs only for a specified index of mine to 3rd party. But The target destination is receiving all possible logs. 

My input.conf contains several index for testing purposed. 

 

inputs.conf

[udp://514]
sourcetype = syslog
index = custom_index

[tcp://127.0.0.1:514]
sourcetype = syslog
index = main

[tcp://127.0.0.1:515]
sourcetype = tcp_logs
index = tcp_custom

 

my props: 

 

[tcp_logs] // source type stanze from what I've found in the documentaiton.
TRANSFORMS-indexAndForward = forward_to_third_party

 

transforms.conf

 

[forward_to_third_party]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = my_third_party_destination

 

and output.conf

 

[tcpout]
indexAndForward = true
defaultGroup = my_third_party_destination

[tcpout:my_third_party_destination]
server = 0.0.0.0:9000
sendCookedData = false

 

could you please advice? 

Thanks 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎07-25-2023 09:01 AM

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

caiosalonso
Path Finder
‎07-25-2023 09:01 AM

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-25-2023 09:53 AM

Hi

as @caiosalonso said, by default all events have sent to defaultGroup output. That should be definition of your normal splunk indexer. Add that definition here and then use my_… as you have defined for those which you are sending to 3rd party receiver.

r. Ismo

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...