Hi,
I'm using a Splunk Heavy Forwarder with props.conf, transforms.conf and outputs.conf to selectively send events to different splunk Indexers based on the sourcetype. That works well.
But now I have a new need: For a specific sourcetype (csi_pclog), I need to get rid of most events first, then route remaining events to a specific indexer. For some reason, I'm having trouble making this work. I'm not receiving any events and I've checked in the actual file I'm forwarding - there's data in there.
Basically all events for sourcetype=csi_pclog need to be dropped, except events with the word "Login". Here's what I have:
props.conf
[csi_pclog]
TRANSFORMS-routing=itseccsiappRouting, itseccsiappDiscard
transforms.conf
[itseccsiappDiscard]
REGEX=.
DEST_KEY= queue
FORMAT=nullQueue
[itseccsiappRouting]
REGEX=Login
DEST_KEY=_TCP_ROUTING
FORMAT=default-autolb-group
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
forwardedindex.3.whitelist = (_audit|_internal|_introspection|_telemetry)
[tcpout:default-autolb-group]
server = indexer1:9997
[tcpout-server://indexer1:9997]
[tcpout:itsechf]
server = indexer2:9997
What am I doing wrong?
↧