Splunk Enterprise

forwarding logs through props.conf

franciscof
Explorer

Hi guys. i´m trying to forward some events to another indexer usin my configuration files props.conf, transforms.conf and outputs.conf but the problem is that when I do it I forward all my data and not onlt the index and sourcetype that I want to forward even though I´m sure of applying those filters correctly on my props.conf 

What could be happening?

Thanks in advance.

Labels (2)
0 Karma

jodonald
Explorer

probably the indexAndFoward setting

It would be greatly helpful if you include your props and transforms.  Also please review the splunk docs for routing and filtering data.

https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad

 

0 Karma

franciscof
Explorer

Hi, 

Here is my props.conf located on /opt/splunk/etc/apps/search/local

[f5:bigip:syslog]
TRANSFORMS-routing = routeLT
index = test_f5
source = tcp:9515

Here is my transforms.conf located on /opt/splunk/etc/apps/search/local

[routeLT]
REGEX=(\w+?\-?\w+\-\w+(?:\-\w+)?\:\:\w+\-?\d?\.\"\S+\"\s+\=\s+\".*\"|\d+\/\d+\/\d+\s+[\d\:]+\s+\-\S+\s+.action\=ping\s+\S+\n\S+.+\n.+ms)
DEST_KEY=_TCP_ROUTING
FORMAT=LightTech, default-autolb-group

Here is my inputs.conf located on /opt/splunk/etc/apps/search/local

[tcp://9515]
connection_host = ip
index = test_f5
sourcetype = f5:bigip:syslog
_TCP_ROUTING = LighTech

And here is my outputs.conf located on /opt/splunk/etc/system/local

[tcpout]
forwardedindex.filter.disable = true
indexAndForward = true

[tcpout:LighTech]
server = 190.210.177.194:9997

[indexAndForward]
index = true

What could be wrong?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...