Re: forwarding logs through props.conf

franciscof · ‎02-25-2021

Hi guys. i´m trying to forward some events to another indexer usin my configuration files props.conf, transforms.conf and outputs.conf but the problem is that when I do it I forward all my data and not onlt the index and sourcetype that I want to forward even though I´m sure of applying those filters correctly on my props.conf

What could be happening?

Thanks in advance.

jodonald · ‎03-01-2021

probably the indexAndFoward setting

It would be greatly helpful if you include your props and transforms. Also please review the splunk docs for routing and filtering data.

https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad

franciscof · ‎03-03-2021

Hi,

Here is my props.conf located on /opt/splunk/etc/apps/search/local

[f5:bigip:syslog]
TRANSFORMS-routing = routeLT
index = test_f5
source = tcp:9515

Here is my transforms.conf located on /opt/splunk/etc/apps/search/local

[routeLT]
REGEX=(\w+?\-?\w+\-\w+(?:\-\w+)?\:\:\w+\-?\d?\.\"\S+\"\s+\=\s+\".*\"|\d+\/\d+\/\d+\s+[\d\:]+\s+\-\S+\s+.action\=ping\s+\S+\n\S+.+\n.+ms)
DEST_KEY=_TCP_ROUTING
FORMAT=LightTech, default-autolb-group

Here is my inputs.conf located on /opt/splunk/etc/apps/search/local

[tcp://9515]
connection_host = ip
index = test_f5
sourcetype = f5:bigip:syslog
_TCP_ROUTING = LighTech

And here is my outputs.conf located on /opt/splunk/etc/system/local

[tcpout]
forwardedindex.filter.disable = true
indexAndForward = true

[tcpout:LighTech]
server = 190.210.177.194:9997

[indexAndForward]
index = true

What could be wrong?

forwarding logs through props.conf

configuration

using Splunk Enterprise

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms