splitting data coming from Universal forwarder to ...

ssyed2009 · ‎11-06-2018

We are forwarding data coming from our universal forwarders to an external Syslog server.

Our current Dataflow Architecture

Universal Forwarder -> Regional Heavy Forwarder -> Final Heavy forwarder -> Indexer

the data is received from the universal forwarder and an output sends the data to Regional Heavy Forwarder. There is another output that sends the data to the final Heavy forwarder. Once the data gets to the final heavy forwarder we have outputs that output data to indexer and duplicate stream to external Syslog.

ISSUE
The event count in the external Syslog server from the duplicate stream is almost half than the data that was indexed by Splunk. So from Splunk to our external Syslog server, we are dropping events.

ASK
I would like to know if there is a tstat command or something is Splunk that would give some metrics of how much data is being sent to the external source from a particular outputs.conf.

To send data to external syslog we are using the below solution

props.conf
[sourcetype]
TRANSFORMS-sample = sample_syslog_trend

transforms.conf
[sample_syslog_trend]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = sample_syslog

outputs.conf
[syslog:sample_syslog]
server = hostname/ipaddress:514
sendCookedData = false

splitting data coming from Universal forwarder to external syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation