Getting Data In

send a subset of logs via syslog to a Third Party and all logs to Indexer

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have a problem that is described many times in Splunk docs but I didn't find my Use Case:

  • I have to send all my logs from an Heavy Forwarder to an Indexer and to a third party system via syslog,
  • Indexer must receive all the logs,
  • Third Party system must receive a subset of these data (three sourcetypes) using syslogs (udp).

I used the available documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf ) but the result is that I'm sending all the logs both to Indexer and syslog, in other words I'm not be able to filter syslogs output.

These are my conf files on HF:

 

outputs.conf

 

 

 

 

[tcpout]
defaultGroup = Nothing
indexAndForward = 0

[tcpout:Splunk]
server = 1.1.1.1:9997

[tcpout-server://1.1.1.1:9997]

[syslog]
defaultGroup =  syslog

[syslog:syslog]
type=udp
server=2.2.2.2:514

 

 

 

 

I tried with and/or without defaultGroup on Splunk and syslog; thern I tried to add syslogSourceType = sourcetype::sourcetype1/2/3 to the syslog stanza to filter data.

 

props.conf:

 

 

 

 

[sourcetype1]
TRANSFORMS-routing = Splunk,syslog

[sourcetype2]
TRANSFORMS-routing = Splunk,syslog

[sourcetype3]
TRANSFORMS-routing = Splunk,syslog

 

 

 

 

I tried also adding TRANSFORMS-routing = Splunk for all the other sourcetypes to send to Indexer but not to syslog.

Then I tried to use two TRANSFORMS stanzas.

 

transforms.conf:

 

 

 

 

[Splunk]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Splunk

[syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog

 

 

 

 

I tried also using three stanzas, one for each sourcetypes and also adding a regex for each sourcetype.

 

At the end, I continue to have all the data both to Indexer and syslog!

 

Can Anyone help me to understand where I'm going wrong?

Ciao and thanks.

Giuseppe

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!