Getting Data In

send a subset of logs via syslog to a Third Party and all logs to Indexer

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have a problem that is described many times in Splunk docs but I didn't find my Use Case:

  • I have to send all my logs from an Heavy Forwarder to an Indexer and to a third party system via syslog,
  • Indexer must receive all the logs,
  • Third Party system must receive a subset of these data (three sourcetypes) using syslogs (udp).

I used the available documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf ) but the result is that I'm sending all the logs both to Indexer and syslog, in other words I'm not be able to filter syslogs output.

These are my conf files on HF:

 

outputs.conf

 

 

 

 

[tcpout]
defaultGroup = Nothing
indexAndForward = 0

[tcpout:Splunk]
server = 1.1.1.1:9997

[tcpout-server://1.1.1.1:9997]

[syslog]
defaultGroup =  syslog

[syslog:syslog]
type=udp
server=2.2.2.2:514

 

 

 

 

I tried with and/or without defaultGroup on Splunk and syslog; thern I tried to add syslogSourceType = sourcetype::sourcetype1/2/3 to the syslog stanza to filter data.

 

props.conf:

 

 

 

 

[sourcetype1]
TRANSFORMS-routing = Splunk,syslog

[sourcetype2]
TRANSFORMS-routing = Splunk,syslog

[sourcetype3]
TRANSFORMS-routing = Splunk,syslog

 

 

 

 

I tried also adding TRANSFORMS-routing = Splunk for all the other sourcetypes to send to Indexer but not to syslog.

Then I tried to use two TRANSFORMS stanzas.

 

transforms.conf:

 

 

 

 

[Splunk]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Splunk

[syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog

 

 

 

 

I tried also using three stanzas, one for each sourcetypes and also adding a regex for each sourcetype.

 

At the end, I continue to have all the data both to Indexer and syslog!

 

Can Anyone help me to understand where I'm going wrong?

Ciao and thanks.

Giuseppe

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

adobrzeniecki_s
Splunk Employee
Splunk Employee

Can you show the inputs.conf for reference?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adobrzeniecki_s,

my Heavy Forwarder was receiving logs from other systems, so the inputs.conf was very simple:

[tcp://:9997]
disabled = 0

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...