Replicate a subset of data to a third-party system...

evinasco · ‎03-14-2019

Hi team

i need to foward a copy data from specific index to third-party system, someone knows how i can do that

regards

MuS · ‎03-14-2019

Hi evinasco,

Have a look at the docs here https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subse...

Please note, that this setting is only configurable based on host, source or sourcetype but NOT on index.

Hope this helps ...

cheers, MuS

evinasco · ‎03-15-2019

Hi @MuS, Do you know if this configuration shall do in the transforms.conf?

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

[routeSubset]
REGEX=(sourcetype1|sourcetype2|sourcetype3)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

regadrs

MuS · ‎03-17-2019

Actually something like this would make more sense:

props.conf

[sourcetype1]
TRANSFORMS-001-Send-Subsidiary-sourcetype1 = Send-Subsidiary-sourcetype

[sourcetype2]
TRANSFORMS-002-Send-Subsidiary-sourcetype2 = Send-Subsidiary-sourcetype

[sourcetype1]
TRANSFORMS-003-Send-Subsidiary-sourcetype3 = Send-Subsidiary-sourcetype

transforms.conf

[Send-Subsidiary-sourcetype]
DEST_KEY = _TCP_ROUTING
FORMAT = Subsidiary, Everything

The reason for that is if you send everything by default to one destination, there is no need to configure a transforms stanza for this and add additional parsing load for these events 😉

Hope that makes sense ...

cheers, MuS

Replicate a subset of data to a third-party system for specific index

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Get More Out of Your Security Practice With a SIEM