I tried the following and it did not work -
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd
I have since been able to forward ALL data via UDP to the 3rd party system but have not been able to filter specific events. First I tried the following which did not work -
props.conf
[host::10.10.10.*]
TRANSFORMS-bna = send_to_syslog
tranforms.conf
[send_to_syslog]
DEST_KEY = _SYSLOG_ROUTING
REGEX=SYSMGR-6-SUBPROC_SUCCESS_EXIT
FORMAT = my_syslog_group
(note that I tried this without the REGEX as well)
outputs.conf
[syslog:my_syslog_group]
server = 10.10.10.10:514
I verified that the 3rd party system is receiving syslogs via UDP correctly through another mechanism. I also verified that the events I want are coming in from the proper IP with the proper string. If I just put the following in my outputs.conf I get ALL syslog events via UDP to the server but filtering is not working even with the props and transforms in place -
[syslog]
defaultGroup = my_syslog_group
[syslog:my_syslog_group]
disabled = false
server = 10.10.10.10:514
Any ideas? This is from an indexer running 4.1.
Good day
I have a question.
Where i can find and edit this?
1.)tranforms.conf
2.)props.conf
3.)outputs.conf
i am using windows and have a splunk instance version version 4.3.4, build 136012
thanks
Cris
I am having the exact same issue. Anyone ever resolve this?
3.3 fixed it
what version fixed the problem 4.3.4 or 4.3.3 ?
I opened a ticket and it ended up being a bug. I was forced to upgrade to the latest version, once I did that the configs worked. I could not get it to work by host however, only by source with regex.