Solved: Can I route some data as syslog output to multiple...

Dan · ‎06-25-2010

I am indexing data feeds A and B and want to forward just data from B as syslog to servers X and Y (cloning the data stream). How can I do this?

Dan · ‎06-25-2010

Here is an example config that accomplishes this. I would recommend reading: http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf

outputs.conf

[syslog]
defaultGroup=nothing
indexAndForward=true

[syslog:serverX]
server = beefysup01:514

[syslog:serverY]
server = 10.1.12.10:514

Note: By default, all events will get sent to all configured target groups. To avoid this, you need to set defaultGroup=nothing ("nothing" can be any name that is not defined as a target group). Then you manually route data to the targets using props and transforms.

props.conf

[source::B]
TRANSFORMS-routing=syslogRouting

Note: This is an example of why you should receive different types of network inputs on different ports. If data feeds A and B were different kinds of syslog (say router data and proxy data), and if both were received on default syslog port 514, then you would have a hard time separating A from B.

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=serverX,serverY

Note: FORMAT is a comma separated list of target groups, which results in cloning of the data.

View solution in original post

gkanapathy · ‎06-25-2010

I believe that this could be more efficiently accomplished this way, assuming feed A comes in in port 1500, and B comes in on port 1600:

inputs.conf:

[udp:1500]
_SYSLOG_ROUTING = nothing

[udp:1600]
_SYSLOG_ROUTING = serverX,serverY

outputs.conf:

[syslog]
defaultGroup = none

[serverX]
server = x:1234
[serverY]
server = y:1234

Dan · ‎06-26-2010

I think you can only set _TCPOUT_ROUTING in inputs.conf

Dan · ‎06-25-2010

Here is an example config that accomplishes this. I would recommend reading: http://www.splunk.com/base/Documentation/latest/Admin/Configureforwarderswithoutputs.conf

outputs.conf

[syslog]
defaultGroup=nothing
indexAndForward=true

[syslog:serverX]
server = beefysup01:514

[syslog:serverY]
server = 10.1.12.10:514

Note: By default, all events will get sent to all configured target groups. To avoid this, you need to set defaultGroup=nothing ("nothing" can be any name that is not defined as a target group). Then you manually route data to the targets using props and transforms.

props.conf

[source::B]
TRANSFORMS-routing=syslogRouting

Note: This is an example of why you should receive different types of network inputs on different ports. If data feeds A and B were different kinds of syslog (say router data and proxy data), and if both were received on default syslog port 514, then you would have a hard time separating A from B.

transforms.conf

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=serverX,serverY

Note: FORMAT is a comma separated list of target groups, which results in cloning of the data.

Can I route some data as syslog output to multiple destinations?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio