Hi all,
Im a noobja not a ninja. I have a Windows based Splunk Enterprise single node index running 7.0.2. I'm trying to use it as a relay of sorts, I have a dataset coming into dedicated index, and I'd like to either forward that data or mirror the data to a 3rd party. There is no requirement to keep the data in splunk otherwise. I've read around quite a bit and I'm probably close, but I can't seem to get something right - so far I've only been successful at redirecting all the data to 3rd party, not a subset of data as preferred. When I apply my settings, I no longer see data real time in my splunk environment, but I do see data at the 3rd party endpoint.
I'm confused if I can use the index itself as a heavy forwarder, I didn't find a props.conf file so I created one in C:\Program Files\Splunk\etc\system\local.
-outputs.conf-
[tcpout]
defaultGroup=nothing
[tcpout:3rdPartyDest]
server=aaa.bbb.ccc.ddd:514
type=tcp
sendCookedData=false
-props.conf-
[source]
TRANSFORMS-routing = transforms_3rdParty
-transforms.conf-
[SiteCode] (already existed)
filename = SiteCode.csv
[transforms_3rdParty]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=3rdPartyDest
I've seen reference to indexAndForward flags as well as setting the output default group to nothing, but I can't seem to get the right combo working properly and don't want to redirect our flow via trial and error anymore.
Any help is appreciated!
... View more