Hi,
I am getting a weird issue. If the syslog server fails, it stops all data being indexed by the default TCP out, and then Splunk fills its buckets and falls over. Am I missing something to set it to continue if it can't connect to a output.
cat outputs.conf
[syslog]
defaultGroup = xxxxx_indexers
[syslog:xxxxx_indexers]
server = xxx.xxx.xxx.xxx:9997
type = tcp
timestampformat = %Y-%m-%dT%T.%S
cat transforms.conf
[mehRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = xxx_cluster_indexers
[Routing_firewalls]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (fgt_traffic|fgt_utm)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = xxxx_indexers
cat props.conf
[host::xxxxxxx1c]
TRANSFORMS-routing = mehRouting, Routing_firewalls
[host::xxxxxc]
TRANSFORMS-routing = mehRouting, Routing_firewalls
↧