- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to send syslog data to the indexer and ano...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my scenario:
I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.
Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).
So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:
Edit $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS-routing = routeAll, routeSubset
Edit $SPLUNK_HOME/etc/system/local/transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything <-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?
[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary < ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app
Does that look right?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Log_wrangler,
Your configuration looks good please let us know if you will face any issue and community members will help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Log_wrangler,
Your configuration looks good please let us know if you will face any issue and community members will help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the confirmation. I am in the staging phase right now, have not had a chance to test-run anything yet.
A couple of followup questions,
1) With the current config above, if I have other sources sending syslog data to the indexer then these sources will not be disturbed and will not be accidentally sent to the 3rd party tcp receiver? If I am understanding correctly,
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing <----- setting defaultGroup to nothing defines that "everything" (old and new) goes to indexer and subsidiary goes to 3rd party??
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234
2) Is there any documentation / examples on REGEX for:
[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary
Thank you
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
