Hi graju89,
see this https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Transformsconf
Anyway to filter for two parameters there are two ways:
if you can find one of the parameters in the raw logs you can use it to filter logs in transfroms.conf: e.g. if you want to forwarder to third party syslogs, in the beginning of each event you can find the host IP address, so you can use sourcetype as main stanza in props.conf and regex with that IP address in REGEX of transforms.conf.
otherwise you can use the SOURCE_KEY = MetaData:Host option in your transforms.conf, e.g. something like this:
props.conf
[your_sourcetype]
TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index
transforms.conf
[send_to_syslog_EFH]
SOURCE_KEY = MetaData:Host
REGEX = your_host
DEST_KEY=_SYSLOG_ROUTING
FORMAT=my_syslog_group
Ciao.
Giuseppe
... View more