Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwarding syslog data via UDP to 3rd party server. splunk docs instructions not working

jfraiberg
Communicator
‎01-18-2012 07:21 AM

I tried the following and it did not work -

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd

I have since been able to forward ALL data via UDP to the 3rd party system but have not been able to filter specific events. First I tried the following which did not work -

props.conf

[host::10.10.10.*]
TRANSFORMS-bna = send_to_syslog

tranforms.conf

[send_to_syslog]
DEST_KEY = _SYSLOG_ROUTING
REGEX=SYSMGR-6-SUBPROC_SUCCESS_EXIT
FORMAT = my_syslog_group

(note that I tried this without the REGEX as well)

outputs.conf

[syslog:my_syslog_group]
server = 10.10.10.10:514

I verified that the 3rd party system is receiving syslogs via UDP correctly through another mechanism. I also verified that the events I want are coming in from the proper IP with the proper string. If I just put the following in my outputs.conf I get ALL syslog events via UDP to the server but filtering is not working even with the props and transforms in place -

[syslog]
defaultGroup = my_syslog_group

[syslog:my_syslog_group]
disabled = false
server = 10.10.10.10:514

Any ideas? This is from an indexer running 4.1.

Tags (2)
0 Karma
Reply

christantoy
Path Finder
‎10-11-2012 03:14 AM

Good day

I have a question.

Where i can find and edit this?

1.)tranforms.conf
2.)props.conf
3.)outputs.conf

i am using windows and have a splunk instance version version 4.3.4, build 136012

thanks
Cris

0 Karma
Reply

chadfermanxto
Explorer
‎08-06-2012 10:13 AM

I am having the exact same issue. Anyone ever resolve this?

0 Karma
Reply

jfraiberg
Communicator
‎10-11-2012 06:51 AM

3.3 fixed it

0 Karma
Reply

herterich
Explorer
‎10-09-2012 09:21 AM

what version fixed the problem 4.3.4 or 4.3.3 ?

0 Karma
Reply

jfraiberg
Communicator
‎08-06-2012 10:19 AM

I opened a ticket and it ended up being a bug. I was forced to upgrade to the latest version, once I did that the configs worked. I could not get it to work by host however, only by source with regex.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...