Send filtered data to syslog and not index it

cloud_cloud · ‎11-19-2011

How to send filtered system log errors only to syslog and NOT index that data?

My current configuration send to syslog and index data.

props.conf

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group, send_to_null

[send_to_null]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514
index=false

Takajian · ‎12-01-2011

props.conf
In you case, I assume "nyc" is sourcetype you want to forward to syslog server. So, following configuration will work. Is your target server is syslog, not splunk index server, isn't it.

[nyc]
TRANSFORMS-nyc = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = error
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

outputs.conf

[syslog:my_syslog_group]
server=192.168.118.128:514

sowings · ‎09-09-2013

You'd need a second transform after (as part of the [nyc] sourcetype) to subsequently null queue the local event, after forwarding a copy to syslog.

FRoth · ‎09-09-2013

This forwards the data as syslog - yes.
But the data still gets indexed.

Send filtered data to syslog and not index it

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms