We are trying to configure a heavy forwarder to route **some of the data** to syslog+nullqueue, and **index** the rest of the data.
I tried to use props + transforms to route the desired regex to syslog+null queue.
Issue is, when events go to nullqueue, they do not go to syslog at all.
Is there any way to send to syslog while not indexing?
Here is what I configured in props.conf, transforms.conf:
Sourcetype: BES
Regex to route to syslog: \*INFO
All the other events should be indexed.
**props.conf**
[BES]
TRANSFORMS-bes-syslog=send_to_syslog_bes,nullqueue_bes
**transforms.conf**
[nullqueue_bes]
REGEX = \*INFO
DEST_KEY = queue
FORMAT = nullQueue
[send_to_syslog_bes]
REGEX = \*INFO
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogforward_bes
**outputs.conf**
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://indexer01:9997]
[tcpout-server://indexer02:9997]
[tcpout:default-autolb-group]
disabled = false
server = indexer01:9997,indexer02:9997
[syslog:syslogforward_bes]
server = x.x.x.x:523
timestampformat = %Y-%m-%dT%H:%M:%S.%3N
↧
How to configure a heavy forwarder to route some of the data to syslog+nullqueue, and rest to index?
↧