Forwarding selected events from Indexer to thrid-p...

tobiasvollrath · ‎09-05-2013

Hi,
in our system we have same universal forwarders, one indexer and a third-party system that expect only events in syslog-format.

How can I send selected events from the indexer via syslog to my third-party system. That selected events should not save in the indexer. All other events should be indexed.

Is there a way to do this?

I try this configuration, but the index sent all events via syslog.

#inputs.conf [splunktcp-ssl://9997] _SYSLOG_ROUTING = syslog_test

#outputs.conf [syslog:syslog_test] server = 192.168.0.42:10514

Thanks for your help,
with best greetings

Tobias

tobiasvollrath · ‎09-06-2013

It works! Thanks a lot.

But there is one open querstion:

The indexer should not index the events wich go out via syslog. Is this posible?

fbl_itcs · ‎09-06-2013

Hi,

you can do that with a transformation.

You define the output in your outputs.conf. Then you create a transformation using props.conf and transforms.conf:

props.conf:

[sourcetypename OR host::HOSTNAME OR source::SOURCENAME]
TRANSFORMS-syslog = syslog_out

transforms.conf

[syslog_out]
REGEX = REGEX_TO_FILTER_EVENTS_GOES_HERE
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_test

Forwarding selected events from Indexer to thrid-party application

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor