Getting Data In

send a subset of logs via syslog to a Third Party and all logs to Indexer

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have a problem that is described many times in Splunk docs but I didn't find my Use Case:

  • I have to send all my logs from an Heavy Forwarder to an Indexer and to a third party system via syslog,
  • Indexer must receive all the logs,
  • Third Party system must receive a subset of these data (three sourcetypes) using syslogs (udp).

I used the available documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf ) but the result is that I'm sending all the logs both to Indexer and syslog, in other words I'm not be able to filter syslogs output.

These are my conf files on HF:

 

outputs.conf

 

 

 

 

[tcpout]
defaultGroup = Nothing
indexAndForward = 0

[tcpout:Splunk]
server = 1.1.1.1:9997

[tcpout-server://1.1.1.1:9997]

[syslog]
defaultGroup =  syslog

[syslog:syslog]
type=udp
server=2.2.2.2:514

 

 

 

 

I tried with and/or without defaultGroup on Splunk and syslog; thern I tried to add syslogSourceType = sourcetype::sourcetype1/2/3 to the syslog stanza to filter data.

 

props.conf:

 

 

 

 

[sourcetype1]
TRANSFORMS-routing = Splunk,syslog

[sourcetype2]
TRANSFORMS-routing = Splunk,syslog

[sourcetype3]
TRANSFORMS-routing = Splunk,syslog

 

 

 

 

I tried also adding TRANSFORMS-routing = Splunk for all the other sourcetypes to send to Indexer but not to syslog.

Then I tried to use two TRANSFORMS stanzas.

 

transforms.conf:

 

 

 

 

[Splunk]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Splunk

[syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog

 

 

 

 

I tried also using three stanzas, one for each sourcetypes and also adding a regex for each sourcetype.

 

At the end, I continue to have all the data both to Indexer and syslog!

 

Can Anyone help me to understand where I'm going wrong?

Ciao and thanks.

Giuseppe

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

adobrzeniecki_s
Splunk Employee
Splunk Employee

Can you show the inputs.conf for reference?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adobrzeniecki_s,

my Heavy Forwarder was receiving logs from other systems, so the inputs.conf was very simple:

[tcp://:9997]
disabled = 0

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...