Hi,
we are tring to forward only the MAIN index from an indexer to a third-party systems using TCP.
I've seen the documentation (Forward data to third-party systems/Route and filter data) and some community articles.
Unfortunatly we still get other indexes (e.g. fortinet) forwarded also. Any idea what we make wrong ?
The last try from the ..\system\local\outputs.conf:
## 21.6.2020
[tcpout]
defaultGroup = slms
indexAndForward = true
forwardedindex.0.whitelist =
#forwardedindex.1.blacklist = (_.*|fortinet)
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.0.whitelist = main
forwardedindex.filter.disable = false
#[indexAndForward]
#index=true
[tcpout:slms]
server = 192.168.249.140:514
sendCookedData = false
blockOnCloning = false
#forwardedindex.0.whitelist =
#forwardedindex.1.blacklist =
#forwardedindex.2.whitelist =
#forwardedindex.2.whitelist = main
#forwardedindex.filter.disable = false
#
I found a solution to forward a sourcetype only. But as we use TCP, the Indexer stopps/pauses indexing as soon as the receiver is not responding. I'm working on this now ...
props.conf
[security-audit]
TRANSFORMS-security-audit = send_to_syslog
#
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_slms
#
output.conf
[syslog:syslog_slms]
server = <IP>:10514
type = tcp
#
Attribute forwardedindex only works under tcpout stanza. Try this.
[tcpout]
defaultGroup = slms
indexAndForward = true
forwardedindex.0.blacklist = .*
forwardedindex.1.whitelist = main
forwardedindex.filter.disable = false
[tcpout:slms]
server = 192.168.249.140:514
sendCookedData = false
blockOnCloning = false
It's still the same. Data not from the MAIN index get's forwarded also. I forgot to say, we have a 2 node indexer cluster and for testing only one is configured as shown may this has any side effect ?
I've opend a case at Splunk support.
I found a solution to forward a sourcetype only. But as we use TCP, the Indexer stopps/pauses indexing as soon as the receiver is not responding. I'm working on this now ...
props.conf
[security-audit]
TRANSFORMS-security-audit = send_to_syslog
#
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_slms
#
output.conf
[syslog:syslog_slms]
server = <IP>:10514
type = tcp
#