Getting Data In

forwarding syslog data via UDP to 3rd party server. splunk docs instructions not working

jfraiberg
Communicator

I tried the following and it did not work -

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd

I have since been able to forward ALL data via UDP to the 3rd party system but have not been able to filter specific events. First I tried the following which did not work -

props.conf

[host::10.10.10.*]
TRANSFORMS-bna = send_to_syslog

tranforms.conf

[send_to_syslog]
DEST_KEY = _SYSLOG_ROUTING
REGEX=SYSMGR-6-SUBPROC_SUCCESS_EXIT
FORMAT = my_syslog_group

(note that I tried this without the REGEX as well)

outputs.conf

[syslog:my_syslog_group]
server = 10.10.10.10:514

I verified that the 3rd party system is receiving syslogs via UDP correctly through another mechanism. I also verified that the events I want are coming in from the proper IP with the proper string. If I just put the following in my outputs.conf I get ALL syslog events via UDP to the server but filtering is not working even with the props and transforms in place -

[syslog]
defaultGroup = my_syslog_group

[syslog:my_syslog_group]
disabled = false
server = 10.10.10.10:514

Any ideas? This is from an indexer running 4.1.

Tags (2)
0 Karma

christantoy
Path Finder

Good day

I have a question.

Where i can find and edit this?

1.)tranforms.conf
2.)props.conf
3.)outputs.conf

i am using windows and have a splunk instance version version 4.3.4, build 136012

thanks
Cris

0 Karma

chadfermanxto
Explorer

I am having the exact same issue. Anyone ever resolve this?

0 Karma

jfraiberg
Communicator

3.3 fixed it

0 Karma

herterich
Explorer

what version fixed the problem 4.3.4 or 4.3.3 ?

0 Karma

jfraiberg
Communicator

I opened a ticket and it ended up being a bug. I was forced to upgrade to the latest version, once I did that the configs worked. I could not get it to work by host however, only by source with regex.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...