Following the documentation http://www.splunk.com/base/Documentation/latest/admin/Forwarddatatothird-partysystems I've set up a system to forward data to a syslog server. However, while using a host::hostname works, seems that using source::/path/file or source::/path/directory is not working. Does it needs to have a monitor defined also?
It will not work if you have overridden your source
(unless you use the original source
value). This may be your problem.
props.conf:
[source::/opt/glassfishv3/glassfish/domains/domain1/logs/]
TRANSFORMS-routing = send_to_syslog
transforms.conf:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = INM01
outputs.conf:
[syslog:INM01]
server = 10.10.40.10:10514
type = tcp
The official documentation does not use the REGEX param in the transforms file, however, it didn't work without specifying it.
I've also used the 3 dots (...) in front of the path, but still no luck.
Replacing the source for hostname::
should work. Show your stanza for more details..