Hello,
I've got a difficult scenario I am trying to work out. I am attempting to make a copy of a sourcetype, using SEDCMD to reformat it and then send it to a 3rd party destination via SYSLOG. Everything works just fine, except that when I use `DEST_KEY = _SYSLOG_ROUTING` in transforms, Splunk will index both the original and cloned copy of the data. The double indexing does NOT happen when I set `DEST_KEY = _TCP_ROUTING` in transforms. However, I need it to be in syslog format.
This config is a little complicated, so I'll do my best to walk through it. I changed naming to protect privacy.
**1. First I am applying the transforms named "clone_sourcetype" which makes a clone of all Windows Event Logs with a new sourcetype named "SIEM_FORMAT"**
**##PROPS##**
[(?::){0}WinEventLog:*]
TRANSFORMS-WinEventLog = clone_sourcetype
**##TRANSFORMS-1##**
[clone_sourcetype]
REGEX = .
FORMAT = $1
SOURCE_KEY = _raw
CLONE_SOURCETYPE = SIEM_FORMAT
**2. Second I am taking the new sourcetype "SIEM_FORMAT" and am applying SEDCMD and LINEMERGE to merge the multiline Windows events into a single line event. I also apply another transform called "SIEM_syslog" which applies the output stanza "send_syslog_to_SIEM".**
**##PROPS##**
[SIEM_FORMAT]
SEDCMD-rmlines=s/[\n\r\t]/ /g
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ((.+)\d+\/\d+\/\d+\s+\d+:\d+:\d+\s+([aApPmM]{2}))
TRANSFORMS-output = SIEM_syslog
**##TRANSFORMS##**
[SIEM_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = send_syslog_to_SIEM
**##OUTPUTS##**
[syslog:send_syslog_to_SIEM]
server = x.x.x.x:514
type = tcp
priority = NO_PRI
Everything works perfectly, I am seeing the events on the SIEM side formatted the way I need them except Splunk is indexing both copies of the sourcetype. This does not happen when I use _TCP_ROUTING in transforms, however I need it to be in syslog format.
Is there anyway I can block the cloned sourcetype from being indexed?
↧