×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
petermelsen
Explorer
Member since: ‎01-29-2019
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎01-29-2019
Activity Feed
View All

Re: Local processing of forwarded events on heavy ...

by in Getting Data In
‎02-01-2019 07:01 AM
‎02-01-2019 07:01 AM
The answer in given in https://answers.splunk.com/answering/275684/view.html did the trick - the local processing is now active and SEDCMD in the props.conf are working now. ... View more

Re: Local processing of forwarded events on heavy ...

by in Getting Data In
‎01-31-2019 02:16 AM
‎01-31-2019 02:16 AM
Would it be possible to forward data in a way from heavy forwarder A (fx as "uncooked") so that processing could be done on heavy forwarder B? ... View more

Re: Local processing of forwarded events on heavy ...

by in Getting Data In
‎01-31-2019 02:12 AM
‎01-31-2019 02:12 AM
Yes - I have tried to add a default clause in props.conf to change the routing via another path defined in transforms.conf and outputs.conf - but it has no effect... ... View more

Local processing of forwarded events on heavy forw...

by in Getting Data In
‎01-29-2019 03:27 PM
1 Karma
‎01-29-2019 03:27 PM
1 Karma
A customer has a heavy forwarder (A) that is forwarding logs to my local heavy forwarder (B). I have no control over heavy forwarder A and would like to use props.conf to perform source and sourcetype specific processing/rewriting (fx using SEDCMD) on heavy forwarder B before sending the events to a syslog server. I am having difficulties in getting the forwarded events to go through local processing - if I use _SYSLOG_FORWARDING in the inputs.conf - then the events seem to bypass the local processing and go directly to the output. I have tried to specify queue = parsingQueue (even though this is the default) but it doesn't seem to have any effect. How can I get the event forwarded from the customer heavy forwarder A to go through the processing stages on heavy forwarder B? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All