Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to route specific event to target destination and other event should not forward

pankajupadhyay
Path Finder
‎11-03-2020 10:54 PM

Hi

Can someone please help me out here ?

I want to forward particular event to target server and other will receive the all logs by default as it is in default group.

Transforms.conf
[logs_type1]
REGEX = (logged out|Rejected password for user|Cannot login|logged in as|Accepted user for user|was updated on host|Password was changed for account|Destroy VM called)
DEST_KEY = _TCP_ROUTING
FORMAT = esxireceivier

 

Props.conf

[vmw_logs]
TRANSFORMS-routing=logs_type1

 

Is my configuration fine or someone can help me out here ?

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 03:56 AM

Hi @pankajupadhyay,

let me understand:

  • you want to send all logs to some indexers,
  • and some logs to a defined indexer (these logs are sent to noth the indexers),
  • ano there isn't any local indexing on HF;

is this correct?

if this is your need, see at https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_... for more infos.

Anyway, you have to configure:

On outputs.conf

 

[indexAndForward]
index=false
selectiveIndexing=true 

[tcpout:<target_group>]
server = <ip address>:<port>, <ip address>:<port>, ...
...

 

In inputs.con, add the _TCP_ROUTING setting to the stanzas of each input that you want to forward:

 

[input_stanza]
_TCP_ROUTING=<target_group>
...

 

Where the <target_group> is the name used in outputs.conf to specify the target group of receiving indexers.

If you don't insert _TCP_ROUTING=<target_group> the log is sent to both the target servers.

in this way you send all the events where there isn't any _TCP_ROUTINGto all the indexers and the events where _TCP_ROUTING=selected_targets only to one server.

Then if you want to filter events in the selectd Indexers, you can do this following the instructions in the same above url.

Ciao.

Giuseppe

0 Karma
Reply

pankajupadhyay
Path Finder
‎11-04-2020 04:04 AM

@gcusello  

I wanna send only specific event which i have mentioned in REGEX to selected target destination(Third party collector )

our indexer is in default group, so by defualt all the logs will come to Splunk Indexer.

And We have heavy forwarder where we define the configuration and send it to Indexer and third party collector.

is my configuration valid ? 

 

As i have mentioned in transforms.conf to send the event to target server and rest should not go.

 

Let me know if i have done mistake or i can make precise configuration.

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 04:30 AM

Hi @pankajupadhyay,

the selective indexing configuration is the one I described!

Anyway, what did you inserted in outputs.conf?

Ciao.

Giuseppe

0 Karma
Reply

pankajupadhyay
Path Finder
‎11-04-2020 04:36 AM

@gcusello 

This is my outputs.conf

[tcpout:xyz]
server = 10.1.1.1:520
sendCookedData = false
disabled = false

 

 

0 Karma
Reply

pankajupadhyay
Path Finder
‎11-04-2020 04:39 AM

@gcusello 

 

I am not indexing my data on HF

[indexAndForward]
index=false
selectiveIndexing=true

 And third party target server is not Splunk. It is IBM Qradar

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 04:57 AM

Hi @pankajupadhyay,

You can send data using TCP data or Syslogs as described at https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Forwarddatatothird-partysystemsd#Forwa... 

If you use TCP routing, check that the outputs.conf tcpout stanza is the same that you used in transforms.conf FORMAT option.

Ciao.

Giuseppe

0 Karma
Reply

pankajupadhyay
Path Finder
‎11-04-2020 05:18 AM

@gcusello 

 

I have called the same tcpout from outputs.conf in transforms.conf

 

FORMAT=Name which we have defined in outputs.conf

 

but still its sending other event which i have not mentioned in REGEX of transforms.conf

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-04-2020 05:28 AM

Hi @pankajupadhyay,

I encountered the same issue in the past and at least I preferred to send logs via syslog using the Syslog Mod Alert App (https://splunkbase.splunk.com/app/4199/).

In this way you can filter the events to send using a search.

Ciao.

Giuseppe 

0 Karma
Reply

pankajupadhyay
Path Finder
‎11-04-2020 06:50 AM

@gcusello 

We have faced issue while forwarding the logs as syslog thats why we are forwarding the log as TCP.

Aside, is my regex fine ?? correct ?

 

Regards

Pankaj Upadhyay

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...