Re: Send filtered data to syslog and not index it

cloud_cloud · ‎11-19-2011

How to send filtered system log errors only to syslog and NOT index that data?

My current configuration send to syslog and index data.

props.conf

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group, send_to_null

[send_to_null]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514
index=false

Takajian · ‎12-01-2011

props.conf
In you case, I assume "nyc" is sourcetype you want to forward to syslog server. So, following configuration will work. Is your target server is syslog, not splunk index server, isn't it.

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514

sowings · ‎09-09-2013

You'd need a second transform after (as part of the [nyc] sourcetype) to subsequently null queue the local event, after forwarding a copy to syslog.

FRoth · ‎09-09-2013

This forwards the data as syslog - yes.
But the data still gets indexed.

Send filtered data to syslog and not index it

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation