I have an all in one enterprise splunk install (indexer, search head, file monitoring) with a number of universal forwarders forwarding data to it.
I need to forward everything I receive on the central splunk server to a third party system. I tried both the:
[syslog] (using TCP)
approaches described in the doc.
The log data is forwarding fine.
The problem is that the metadata is missing. The source,sourcetype and host are missing when using tcpout and the source and sourcetype are missing when using syslog. Without them, the data will make no sense to the receiving system.
Is it possible to use a transform to put the metadata back in the data? If so, How?
... View more