I need to take all of a sourcetype and index it into Splunk and send a sub-set of that sourcetype to a 3rd party system.
I can't even get it to write anything using props, transforms and outputs.
props.conf
[cisco:asa]
TRANSFORMS-routing = sendall, send_ASA_2QR
transforms.conf
[sendall]
REGEX=.
DEST_KEY = _TCP_ROUTING
FORMAT = NA9-SAL-Splunk-Indexers
[send_ASA_2QR]
REGEX=.
DEST_KEY = _SYSLOG_ROUTING
FORMAT = Qradar_Output
outputs.conf (relavant portion)
# Qradar TEST output to na330151-sal
[syslog:Qradar_Output]
server = 10.36.4.78:514
I will eventually change the REGEX for "send_ASA_2QR" to exclude records. But this should be sending...
I can get it to send if I add this to outputs.conf:
[syslog]
defaultGroup = Qradar_Output
But of course , that sends everything, not just cisco:asa.
Help.
↧