Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarding logs through props.conf

franciscof
Explorer
‎02-25-2021 04:46 AM

Hi guys. i´m trying to forward some events to another indexer usin my configuration files props.conf, transforms.conf and outputs.conf but the problem is that when I do it I forward all my data and not onlt the index and sourcetype that I want to forward even though I´m sure of applying those filters correctly on my props.conf 

What could be happening?

Thanks in advance.

Labels (2)
0 Karma
Reply

jodonald
Explorer
‎03-01-2021 12:32 PM

probably the indexAndFoward setting

It would be greatly helpful if you include your props and transforms.  Also please review the splunk docs for routing and filtering data.

https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad

 

0 Karma
Reply

franciscof
Explorer
‎03-03-2021 05:37 AM

Hi, 

Here is my props.conf located on /opt/splunk/etc/apps/search/local

[f5:bigip:syslog]
TRANSFORMS-routing = routeLT
index = test_f5
source = tcp:9515

Here is my transforms.conf located on /opt/splunk/etc/apps/search/local

[routeLT]
REGEX=(\w+?\-?\w+\-\w+(?:\-\w+)?\:\:\w+\-?\d?\.\"\S+\"\s+\=\s+\".*\"|\d+\/\d+\/\d+\s+[\d\:]+\s+\-\S+\s+.action\=ping\s+\S+\n\S+.+\n.+ms)
DEST_KEY=_TCP_ROUTING
FORMAT=LightTech, default-autolb-group

Here is my inputs.conf located on /opt/splunk/etc/apps/search/local

[tcp://9515]
connection_host = ip
index = test_f5
sourcetype = f5:bigip:syslog
_TCP_ROUTING = LighTech

And here is my outputs.conf located on /opt/splunk/etc/system/local

[tcpout]
forwardedindex.filter.disable = true
indexAndForward = true

[tcpout:LighTech]
server = 190.210.177.194:9997

[indexAndForward]
index = true

What could be wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top