my scenario:
I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.
Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).
So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:
Edit $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS-routing = routeAll, routeSubset
Edit $SPLUNK_HOME/etc/system/local/transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything <-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?
[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary < ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app
Does that look right?
Thanks
Hi @Log_wrangler,
Your configuration looks good please let us know if you will face any issue and community members will help you.
Hi @Log_wrangler,
Your configuration looks good please let us know if you will face any issue and community members will help you.
Thank you for the confirmation. I am in the staging phase right now, have not had a chance to test-run anything yet.
A couple of followup questions,
1) With the current config above, if I have other sources sending syslog data to the indexer then these sources will not be disturbed and will not be accidentally sent to the 3rd party tcp receiver? If I am understanding correctly,
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing <----- setting defaultGroup to nothing defines that "everything" (old and new) goes to indexer and subsidiary goes to 3rd party??
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234
2) Is there any documentation / examples on REGEX for:
[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary
Thank you