From indexerA I am trying to forward Windows Event Logs and IIS Logs to indexerB. The Windows Event Logs are being forwarded properly, but the IIS Logs (sourcetype=iis) are not.
(Splunk Enterprise 6.3.3 on RHEL)
On indexerA I have the below;
///////// props.conf /////////
**[iis]**
CHECK_FOR_HEADER = False
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 128
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = UTC
REPORT-iisfields = iisfields
TRANSFORMS-routing = route2swingserver
**[WinEventLog:Security]**
TRANSFORMS-routing = route2swingserver
**[WinEventLog:System]**
TRANSFORMS-routing = route2swingserver
**[WinEventLog:Application]**
TRANSFORMS-routing = route2swingserver
///////// transforms.conf /////////
**[route2swingserver]**
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=logs4customer
///////// outputs.conf /////////
**[indexAndForward]**
index = true
**[tcpout]**
defaultGroup=nothing
maxQueueSize = 10MB
**[tcpout:logs4customer]**
disabled=false
server=indexerB:9998
compressed = true
↧