Hi at all,
I have a problem that is described many times in Splunk docs but I didn't find my Use Case:
I used the available documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf ) but the result is that I'm sending all the logs both to Indexer and syslog, in other words I'm not be able to filter syslogs output.
These are my conf files on HF:
outputs.conf
[tcpout]
defaultGroup = Nothing
indexAndForward = 0
[tcpout:Splunk]
server = 1.1.1.1:9997
[tcpout-server://1.1.1.1:9997]
[syslog]
defaultGroup = syslog
[syslog:syslog]
type=udp
server=2.2.2.2:514
I tried with and/or without defaultGroup on Splunk and syslog; thern I tried to add syslogSourceType = sourcetype::sourcetype1/2/3 to the syslog stanza to filter data.
props.conf:
[sourcetype1]
TRANSFORMS-routing = Splunk,syslog
[sourcetype2]
TRANSFORMS-routing = Splunk,syslog
[sourcetype3]
TRANSFORMS-routing = Splunk,syslog
I tried also adding TRANSFORMS-routing = Splunk for all the other sourcetypes to send to Indexer but not to syslog.
Then I tried to use two TRANSFORMS stanzas.
transforms.conf:
[Splunk]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Splunk
[syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog
I tried also using three stanzas, one for each sourcetypes and also adding a regex for each sourcetype.
At the end, I continue to have all the data both to Indexer and syslog!
Can Anyone help me to understand where I'm going wrong?
Ciao and thanks.
Giuseppe
Hi at all,
I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.
I hoped that there was an easier way!
Ciao a tutti.
Giuseppe
Hi at all,
I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.
I hoped that there was an easier way!
Ciao a tutti.
Giuseppe
Can you show the inputs.conf for reference?
Hi @adobrzeniecki_s,
my Heavy Forwarder was receiving logs from other systems, so the inputs.conf was very simple:
[tcp://:9997]
disabled = 0
Ciao.
Giuseppe