Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to send syslog data to the indexer and another TCP listener?

Log_wrangler
Builder
‎12-21-2017 08:18 AM

Need a little help as I have not set this up before.
Here is my scenario.

I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination.

I want the data to go to splunk (cooked), but I want the data to go to the other destination (uncooked).

Please advise the best way to configure this.
Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-21-2017 08:42 AM

You can refer to following Splunk documentation to learn about Splunk routing.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Replicate_a_su...

The example in above post sends all data to Indexer and selected data to third party. If you want to send all data to both Indexers and third party system, you'd use just routeAll.

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

To send the uncooked data to third party, you'd set sendCookedData to false in outputs.conf entry for third party system.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-21-2017 08:42 AM

You can refer to following Splunk documentation to learn about Splunk routing.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Replicate_a_su...

The example in above post sends all data to Indexer and selected data to third party. If you want to send all data to both Indexers and third party system, you'd use just routeAll.

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary,Everything

To send the uncooked data to third party, you'd set sendCookedData to false in outputs.conf entry for third party system.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-21-2017 08:57 AM

Thank you, I will take a look.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-21-2017 09:46 AM

So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:

Edit $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS-routing = routeAll <----- do I need route subset if I am sending all to both?

Edit $SPLUNK_HOME/etc/system/local/transforms.conf

[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything

Edit $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup=nothing

[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer

[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app

Does that look right?
Thanks

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎12-21-2017 11:16 AM

Hey @log_wrangler (sweet username!) your comment is posted now! The submissions were in the mod queue. Sorry if that was frustrating. If you get 6 more karma points your posts will only be moderated if they meet the other standard criteria. (30 points). Actually, I'll upvote your comment so you're in the clear. 🙂

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-21-2017 12:09 PM

Please post my second part question

How to send syslog data to the indexer and another TCP listener? (Part 2)

It is "awaiting moderation".

Thank you

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-21-2017 11:28 AM

@lfedak, Thank you for the upvote. Can you please post my (Part 2) question when you have time?

Thank you

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-21-2017 11:19 AM

Your props.conf looks correct (your just routeAll since you're sending all data)
Your transforms.conf needs correction. The FORMAT should include both the tcpout group as you want to copy the data to both destination (Everything for your indexer and Subsidiary for your third party app).

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-21-2017 11:26 AM

Thank you Somesoni!! If you don't mind... I actually created a part 2 question. Please take a look at that question. There is an additional criterion to my scenario. Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...