Send filtered data to syslog and not index it

cloud_cloud · ‎11-19-2011

How to send filtered system log errors only to syslog and NOT index that data?

My current configuration send to syslog and index data.

props.conf

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group, send_to_null

[send_to_null]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514
index=false

Takajian · ‎12-01-2011

props.conf
In you case, I assume "nyc" is sourcetype you want to forward to syslog server. So, following configuration will work. Is your target server is syslog, not splunk index server, isn't it.

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514

sowings · ‎09-09-2013

You'd need a second transform after (as part of the [nyc] sourcetype) to subsequently null queue the local event, after forwarding a copy to syslog.

FRoth · ‎09-09-2013

This forwards the data as syslog - yes.
But the data still gets indexed.

Send filtered data to syslog and not index it

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Send filtered data to syslog and not index it

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+