Issue:
I am attempting to get a specific index from an internal splunk setup to an external one without clustering. Thus far I have been lead to believe that using indexandforward is the best option for this. I have 3 test systems sending their logs to the *main* index while one system is sending each WinEventLog log to their own index's *security_logs, application_logs, etc*, much like out client systems already are set to do. When I use the below setup with *outputs.conf, transforms.conf and props.conf* I get the WinEventLog:Security and System, and that is all (the Security being the only one I want to test), however for the one sending all their logs to individual indexes, I get EVERYTHING except those logs.
Current File:
**outputs.conf**
**[tcpout]
defaultGroup = splunkinternal,splunkexternal
[tcpout:splunkexternal]
server = xx.xx.10.19:9997
[tcpout-server://xx.xx.10.19:9997]
[tcpout:splunkinternal]
server = xx.xx.1.6:9997
[tcpout-server://xx.xx.1.6:9997]**
###################
**props.conf
[syslog]
TRANSFORMS-routing = routeSubset, routeAll**
####################
**transforms.conf
[routeAll]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkinternal
[routeSubset]
REGEX=(WinEventLog|Security)
DEST_KEY=_TCP_ROUTING
FORMAT=splunkexternal**
Items desired:
Pull in specific indexes (index=security_logs) and only those specific indexes OR specify certain log files (WinEventLog:Security), without getting the others. Any assistance or links would be extremely helpful. See below for links I used to arrive where I am.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#IndexAndForward_Processor-----
https://answers.splunk.com/answers/448100/is-it-possible-to-index-and-forward-a-specific-sou.html
↧