Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I use splunktcp connections without forwarding...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a splunk feed I want to forward to a customer - it has it's own index which it fills from Windows Events matching a transform which I then want to forward to the customer's splunk system. Rather than create a syslog stream (and have to talk the customer through an inputs.conf to decode it, stop it adding timestamps, etc) I thought I could use the Splunk-to-Splunk tcp feed which also incorporates buffering, heartbeats and other good stuff. I managed to get it to work to a test Splunk system perfectly but then discovered it was also forwarding all the internal audit logs!
How do I stop anything going to them apart from the data I want? I try a regex on the output transform which should limit it but a packettrace on the connection shows lots of other stuff going too. I see refs to audit trace so I'm assuming it's internal audit logs (which I still want locally of course but not sent to customers!).
props.conf:
[TelcoEvents]
...this is filled from another other feed...
...here is some SED stuff to censor the feed too...
#Now to send to customer
TRANSFORMS-LiveTransform=LiveTransformOutput
transforms.conf:
[LiveTransformOutput]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=LiveOutput
outputs.conf:
[tcpout:LiveOutput]
server=customeripaddress:9012
disabled=false
heartbeatFrequency=30
maxQueueSize=20MB
On the other side then 9012 is set to a receiving port on the customer splunk.
Running 4.2.4 on linux.
Any ideas?
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess they stopped requiring Splunk engineers to answer these questions? Certainly there seem to be a lot more unanswered questions on here now.
Anyway I found out that I can stop the audit events by filtering by index. Thanks to Ken Frew @ Eqalis for the hints to get me started.
In the outputs.conf then change the [tcpout:LiveOutput] to:
[tcpout:LiveOutput]
server=customeripaddress:9012
disabled=false
heartbeatFrequency=30
maxQueueSize=20MB
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = newindex
forwardedindex.filter.disable = false
Where newindex is the index holding what you want to forward. Note that if it's a splunktcp connection then the events will want a "newindex" index at the receiving customer side too (although I guess they could change their inputs.conf to specify a certain index).
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess they stopped requiring Splunk engineers to answer these questions? Certainly there seem to be a lot more unanswered questions on here now.
Anyway I found out that I can stop the audit events by filtering by index. Thanks to Ken Frew @ Eqalis for the hints to get me started.
In the outputs.conf then change the [tcpout:LiveOutput] to:
[tcpout:LiveOutput]
server=customeripaddress:9012
disabled=false
heartbeatFrequency=30
maxQueueSize=20MB
forwardedindex.1.blacklist = .*
forwardedindex.2.whitelist = newindex
forwardedindex.filter.disable = false
Where newindex is the index holding what you want to forward. Note that if it's a splunktcp connection then the events will want a "newindex" index at the receiving customer side too (although I guess they could change their inputs.conf to specify a certain index).
Matt
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
Introduction to Splunk AI
