I am trying to forward a specific sourcetype (let's call it "mySourcetype") to a third party software with a Heavy Forwarder.
The Heavy Forwarder receives the data on a udp port with a splunk input:
[udp://xxxxx:514]connection_host = dnssourcetype = mySourcetype_SYSLOG_ROUTING = mySyslogRouting
We added the _SYSLOG_ROUTING line to also send it to the third party software as described in outputs.conf:
[syslog:mySyslogRouting]type = udppriority = NO_PRIsyslogSourceType = sourcetype::mySourcetypeserver = yyyyyy:3000
Unfortunately, the destination "yyyyyy:3000" receive all data (not just this sourcetype) from the HF. So that means all the other sourcetype and internal Splunk logs...
We tried to use the props.conf and transforms.conf to route it:
[mySourcetype]TRANSFORMS-changehost = routeSourcetype
The result is the same : the destination receive too much data.
Any idea to limit the Syslog forwarding to just one sourcetype?
EDIT: I found an old post that seems to be talking about the same issue but with no answers...
It turns out our HF version (8.2.1) had a bug and upgrading to the latest (8.2.2) fixed the issue.
View solution in original post