Re: filtering by hostname and sourcetype

graju89 · ‎10-17-2019

Hi all,

I need some leads on an issue. I am having trouble in data forwarding from splunk HF to 3rd party. My prop.conf file below:
[host::hostname]
TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index.
But this is forwarding all the logs from the host. but instead I want to send one of the sourcetype from the host.

Is it possible to filter by both hostname and sourcetype? If so, please peovide some sample props.conf and transformas.conf.

Thanks

gcusello · ‎10-18-2019

Hi graju89,
see this https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Transformsconf

Anyway to filter for two parameters there are two ways:

if you can find one of the parameters in the raw logs you can use it to filter logs in transfroms.conf: e.g. if you want to forwarder to third party syslogs, in the beginning of each event you can find the host IP address, so you can use sourcetype as main stanza in props.conf and regex with that IP address in REGEX of transforms.conf.
otherwise you can use the SOURCE_KEY = MetaData:Host option in your transforms.conf, e.g. something like this:

props.conf

[your_sourcetype]
TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index

transforms.conf

[send_to_syslog_EFH]
SOURCE_KEY = MetaData:Host
REGEX = your_host
DEST_KEY=_SYSLOG_ROUTING
FORMAT=my_syslog_group

Ciao.
Giuseppe

filtering by hostname and sourcetype

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!