Following the documentation http://www.splunk.com/base/Documentation/latest/admin/Forwarddatatothird-partysystems I've set up a system to forward data to a syslog server. However, while using a host::hostname works, seems that using source::/path/file or source::/path/directory is not working. Does it needs to have a monitor defined also?
TRANSFORMS-routing = sendtosyslog
REGEX = .
DESTKEY = _SYSLOGROUTING
FORMAT = INM01
server = 10.10.40.10:10514
type = tcp
The official documentation does not use the REGEX param in the transforms file, however, it didn't work without specifying it.
I've also used the 3 dots (...) in front of the path, but still no luck.
Replacing the source for hostname::