outputs.conf

bvv · ‎02-26-2020

outputs.conf

[syslog:syslogGroup]
server = x.x.x.x:514

props.conf

[helloworld]
TRANSFORMS-rsyslog = syslogRouting

transforms.conf

[syslogRouting]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup

This config is applied on an indexer (many tutorials use a heavy forwarder which by defaults does not index data). This works perfectly in forwarding rawdata in syslog to another system however rawdata is also being indexed. Is there a way to prevent indexing from happening?

I've tried adding a nullQueue stanza to props.conf without luck.

masonmorales · ‎02-26-2020

Is the data already cooked when it hits the indexer? / What's forwarding the data to the indexer?

bvv · ‎02-26-2020

Data is not not cooked
UF-->This splunk instance (both Indexer and Search Head role)

manjunathmeti · ‎02-26-2020

Set index = false for indexAndForward in outputs.conf.

[indexAndForward]
index=false

bvv · ‎02-26-2020

This will stop not just [helloworld] but all other indexes from indexing.

The splunk instance itself is an Indexer and a Search Head at the same time.

manjunathmeti · ‎02-26-2020

You can try this. Set selectiveIndexing = true. And remove attribute _INDEX_AND_FORWARD_ROUTING if added under monitor stanza in inputs.conf. This makes forwarder to not index this data.

[indexAndForward]
index=true
selectiveIndexing = true

bvv · ‎02-26-2020

This stopped indexing on all indexes as well..
I might consider setting up a HF to pick up data from UF instead of sending directly to Indexer.

Prevent Indexer from indexing whilst forwarding syslog to a 3rd party system

outputs.conf

props.conf

transforms.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases