×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
frank_yin
Loves-to-Learn
Member since: 3 weeks ago
2 weeks ago
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-27-2025
View All

Forwarding all logs from HF to third-party using s...

by in Getting Data In
3 weeks ago
3 weeks ago
My goal is to: 1. Default send everything from UF agent (excluded syslog source) to syslog group: chron-autolb group. 2. Do not send anything to tcp output group "idx-autolb-group" unless explicitly allowed for sourcetype such as “WinEventLog” and “auditd” However when I set below, I can still receive everything on my Splunk indexers, please advise, Thanks. # outputs.conf [syslog] defaultGroup = chron-autolb-group [syslog:chron-autolb-group] server = X.X.X.X:514 [tcpout:idx-autolb-group] disabled = false server = A.A.A.A:9997, B.B.B.B:9997, C.C.C.C:9997 sslCertPath = $SPLUNK_HOME/etc/auth/server.pem sslPassword = xxxxxxxx sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem sslVerifyServerCert = false # props.conf ###Filter out Syslog sourcetype #Network [(?::){0}bluecoat*] TRANSFORMS-null = setnull [(?::){0}cisco*] TRANSFORMS-null = setnull [(?::){0}cp_log*] TRANSFORMS-null = setnull [(?::){0}fort*] TRANSFORMS-null = setnull [(?::){0}opsec*] TRANSFORMS-null = setnull [(?::){0}pan*] TRANSFORMS-null = setnull [(?::){0}tipping*] TRANSFORMS-null = setnull #EDR/Others [bit9:carbonblack:json] TRANSFORMS-null = setnull [carbonblack] TRANSFORMS-null = setnull [(?::){0}digital*] TRANSFORMS-null = setnull [(?::){0}deepsecurity*] TRANSFORMS-null = setnull [(?::){0}fe*] TRANSFORMS-null = setnull [(?::){0}horizon*] TRANSFORMS-null = setnull [ibm:was:httpErrorLog] TRANSFORMS-null = setnull [(?::){0}morph*] TRANSFORMS-null = setnull [(?::){0}mobileiron*] TRANSFORMS-null = setnull [(?::){0}symantec*] TRANSFORMS-null = setnull [(?::){0}vmware*] TRANSFORMS-null = setnull ###Allowed Sourcetype [(?::){0}WinEventLog*] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [wineventlog] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [WMI:WinEventLog:Security] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [auditd] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [aixaud] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [solbsm] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza [lastlog] TRANSFORMS-routing = chron_transforms_stanza, onperm_transforms_stanza #Transforms.conf [onperm_transforms_stanza] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = idx-autolb-group [chron_transforms_stanza] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = chron-autolb-group [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue         ... View more
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago