Send filtered data to syslog and not index it

cloud_cloud · ‎11-19-2011

How to send filtered system log errors only to syslog and NOT index that data?

My current configuration send to syslog and index data.

props.conf

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group, send_to_null

[send_to_null]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514
index=false

Takajian · ‎12-01-2011

props.conf
In you case, I assume "nyc" is sourcetype you want to forward to syslog server. So, following configuration will work. Is your target server is syslog, not splunk index server, isn't it.

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514

sowings · ‎09-09-2013

You'd need a second transform after (as part of the [nyc] sourcetype) to subsequently null queue the local event, after forwarding a copy to syslog.

FRoth · ‎09-09-2013

This forwards the data as syslog - yes.
But the data still gets indexed.

Send filtered data to syslog and not index it

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

Send filtered data to syslog and not index it

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)