Hello splunker,
I have some trouble to forward data to third-party systems via syslog.
All logs are forwarded via syslog except one where parameter INDEXED_EXTRACTIONS is set on a uf.
I share my configuration to explaint you my problem :
UF :
inputs :
[monitor://c:\tmp\logs.csv]
sourcetype = fileshared
props:
[fileshared]
KV_MODE=none
INDEXED_EXTRACTIONS=csv
INDEXER :
props:
[fileshared]
TRANSFORMS-syslog = send_to_syslog
transfoms:
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
outputs:
[syslog:my_syslog_group]
server = loghost.example.com:514
Logs with sourcetype fileshared are indexed as expected (fields and logs indexed) but there are not forwarded via syslog
All others logs from this uf without INDEXED_EXTRACTIONS parameter are indexed and forwarded via syslog
On Splunk documentation, I see that :
When you forward structured data to an indexer, it is not parsed when it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following pipelines on the indexer, which precludes any parsing of that data on the indexer:
I understand that Is not possible to set parsing and transformation on indexer for sourcetype with INDEXED_EXTRACTION paramater . Do you know if there is a way to forward this kind of data without another method ?
Thanks for your help,
Regards,
↧