Getting Data In

Redirecting logs to 3party only for One index

nikk
Engager

Hi, 

I am trying to redirect logs only for a specified index of mine to 3rd party. But The target destination is receiving all possible logs. 

My input.conf contains several index for testing purposed. 

 

inputs.conf

[udp://514]
sourcetype = syslog
index = custom_index

[tcp://127.0.0.1:514]
sourcetype = syslog
index = main

[tcp://127.0.0.1:515]
sourcetype = tcp_logs
index = tcp_custom

 

my props: 

 

[tcp_logs] // source type stanze from what I've found in the documentaiton.
TRANSFORMS-indexAndForward = forward_to_third_party

 

transforms.conf

 

[forward_to_third_party]
REGEX = .*
DEST_KEY = _TCP_ROUTING
FORMAT = my_third_party_destination

 

and output.conf

 

[tcpout]
indexAndForward = true
defaultGroup = my_third_party_destination

[tcpout:my_third_party_destination]
server = 0.0.0.0:9000
sendCookedData = false

 

could you please advice? 

Thanks 

0 Karma
1 Solution

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

View solution in original post

0 Karma

caiosalonso
Path Finder

Hi,

I would suggest removing the my_third_party_destination value from your defaultGroup property of [tcpout] stanza. If I understood correctly, I guess this setting will make my_third_party_destination the default output for all your inputs.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as @caiosalonso said, by default all events have sent to defaultGroup output. That should be definition of your normal splunk indexer. Add that definition here and then use my_… as you have defined for those which you are sending to 3rd party receiver.

r. Ismo

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...