Are _SYSLOG_ROUTING and _TCP_ROUTING dest_keys on...

Zanusha443 · ‎10-04-2023

Hi,

I am sending logs without indexing on Splunk to another product by using the "SYSLOG_ROUTING" DEST_KEY on the transform.conf file.

Looking at the documentation of "How Splunk licensing works", it says: "When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline."

By looking on the monitor console I realized that the indexer pipeline is made by: syslog out, tcp out and indexer lines, so it seems that by using syslog_routing dest key I could also consume Splunk license.
Can you confirm this?

Kind Regards,

Angelo

are those

isoutamo · ‎10-04-2023

Hi

if you are not stored anything on local disk/indexer then it’s not counted towards your license usage. Based on your scenario, I& I understand right you are forwarding all events to the next host (indexers): then it’s not counted on your license onHF level..

r. Ismo

Are _SYSLOG_ROUTING and _TCP_ROUTING dest_keys on the transform.conf consume Splunk license ?

administration

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation