Hi,
I have the following setup:
3rd Party Server <---- Splunk Enterprise (Indexer):9997 <---- [Splunk Enterprise (Heavy Forwarder)] OR [Universal Forwarder]
If the forwarder is monitoring a file, for example: /var/log/syslog, how can I forward the events from only that file it from the Indexer to the 3rd party server? My conf files in the Indexer are given below, and this settings don't work:
**props.conf:**
[source::/var/log/syslog]
TRANSFORMS-routing=send_to_syslog
**transforms.conf:**
[send_to_syslog]
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_abc
REGEX=.
**outputs.conf:**
[syslog:syslog_abc]
disabled=false
server=x.x.x.x:514
timestampformat=%b %e %H:%M:%S
type=tcp
Thanks
↧