Solved: How can I configure routing that sends specific lo...

yutaka1005 · ‎03-03-2019

I want to configure routing that sends specific logs(syslog_test) to only 514 and other logs to 9997, so I edited props.conf, transforms.conf,outputs.conf of HF like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

outputs.conf

[tcpout]
defaultGroup=everythingElseGroup
[tcpout:everythingElseGroup]
server=Indexer's IP:9997
[syslog:syslogGroup]
server=Indexer's IP:514

But HF forwards syslog_test to 514 and 9997.
What is wrong? Could anyone tell me?

yutaka1005 · ‎03-03-2019

I can do it by changing props.conf and transforms.conf like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting,tcpnull
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
[tcpnull]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=

View solution in original post

yutaka1005 · ‎03-03-2019

I can do it by changing props.conf and transforms.conf like below.

props.conf

[syslog_test]
TRANSFORMS-routing = syslogRouting,tcpnull
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = custom
disabled = false

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup
[tcpnull]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=

How can I configure routing that sends specific logs to only 514 and other logs to 9997?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!