How to route specific event to target destination ...

pankajupadhyay · ‎11-03-2020

Hi

Can someone please help me out here ?

I want to forward particular event to target server and other will receive the all logs by default as it is in default group.

Props.conf

[vmw_logs]
TRANSFORMS-routing=logs_type1

Is my configuration fine or someone can help me out here ?

gcusello · ‎11-04-2020

Hi @pankajupadhyay,

let me understand:

you want to send all logs to some indexers,
and some logs to a defined indexer (these logs are sent to noth the indexers),
ano there isn't any local indexing on HF;

is this correct?

if this is your need, see at https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Perform_selective_... for more infos.

Anyway, you have to configure:

On outputs.conf

[indexAndForward]
index=false
selectiveIndexing=true 

[tcpout:<target_group>]
server = <ip address>:<port>, <ip address>:<port>, ...
...

In inputs.con, add the _TCP_ROUTING setting to the stanzas of each input that you want to forward:

[input_stanza]
_TCP_ROUTING=<target_group>
...

Where the <target_group> is the name used in outputs.conf to specify the target group of receiving indexers.

If you don't insert _TCP_ROUTING=<target_group> the log is sent to both the target servers.

in this way you send all the events where there isn't any _TCP_ROUTINGto all the indexers and the events where _TCP_ROUTING=selected_targets only to one server.

Then if you want to filter events in the selectd Indexers, you can do this following the instructions in the same above url.

Ciao.

Giuseppe

pankajupadhyay · ‎11-04-2020

@gcusello

I wanna send only specific event which i have mentioned in REGEX to selected target destination(Third party collector )

our indexer is in default group, so by defualt all the logs will come to Splunk Indexer.

And We have heavy forwarder where we define the configuration and send it to Indexer and third party collector.

is my configuration valid ?

As i have mentioned in transforms.conf to send the event to target server and rest should not go.

Let me know if i have done mistake or i can make precise configuration.

gcusello · ‎11-04-2020

Hi @pankajupadhyay,

the selective indexing configuration is the one I described!

Anyway, what did you inserted in outputs.conf?

Ciao.

Giuseppe

pankajupadhyay · ‎11-04-2020

@gcusello

This is my outputs.conf

[tcpout:xyz]
server = 10.1.1.1:520
sendCookedData = false
disabled = false

pankajupadhyay · ‎11-04-2020

@gcusello

I am not indexing my data on HF

[indexAndForward]
index=false
selectiveIndexing=true

And third party target server is not Splunk. It is IBM Qradar

gcusello · ‎11-04-2020

Hi @pankajupadhyay,

You can send data using TCP data or Syslogs as described at https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Forwarddatatothird-partysystemsd#Forwa...

If you use TCP routing, check that the outputs.conf tcpout stanza is the same that you used in transforms.conf FORMAT option.

Ciao.

Giuseppe

pankajupadhyay · ‎11-04-2020

@gcusello

I have called the same tcpout from outputs.conf in transforms.conf

FORMAT=Name which we have defined in outputs.conf

but still its sending other event which i have not mentioned in REGEX of transforms.conf

gcusello · ‎11-04-2020

Hi @pankajupadhyay,

I encountered the same issue in the past and at least I preferred to send logs via syslog using the Syslog Mod Alert App (https://splunkbase.splunk.com/app/4199/).

In this way you can filter the events to send using a search.

Ciao.

Giuseppe

pankajupadhyay · ‎11-04-2020

@gcusello

We have faced issue while forwarding the logs as syslog thats why we are forwarding the log as TCP.

Aside, is my regex fine ?? correct ?

Regards

Pankaj Upadhyay

How to route specific event to target destination and other event should not forward

CLI

heavy forwarder

Linux

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases