my scenario:
I have an APP that can only send syslog data to one destination.
I have an HF configured to receive syslog data UDP.
I want to send the APP syslog data to a HF.
I need the HF to send the data to the indexer and another destination, BUT I don't want all my syslog data (from other sources) to go to the 3rd party TCP listener - just this specific APP's syslog data.
Also I want the data to go to splunk (cooked), but I want the data to go to the other 3rd party TCP listener (uncooked).
So if I am understanding correctly, I will edit the HF's props.conf, transforms.conf, and outputs.conf as follows:
Edit $SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS-routing = routeAll, routeSubset
Edit $SPLUNK_HOME/etc/system/local/transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=Everything <-------- This specifies everything syslog goes to the indexer, but not everything to 3rd party TCP receiver?
[routeSubset]
REGEX=(SYSTEM|CONFIG|THREAT) <--------- This is where I would specify which data would go to the 3rd party app?
DEST_KEY=_TCP_ROUTING
FORMAT=Subsidiary < ----------------- This is how I would specify that only the above data would go to the 3rd party TCP receiver?
Edit $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup=nothing
[tcpout:Everything]
disabled=false
server=x.x.x.x:9997 <---- my splunk indexer
[tcpout:Subsidiary]
disabled=false
sendCookedData=false
server=x.x.x.x:1234 <---- the 3rd party app
Does that look right?
Thanks
↧