I am trying to forward to a third-party system from a Universal forwarder. I have tried two approaches. In both cases I am receiving a lot of unnecessary data on the third-party end. It looks like Splunk is not only forwarding the file that I am monitoring but also internal logs as well. What can I do to fix this? I am attaching conf files for both:
**Approach 1:** use props, transforms, and outputs
**props.conf**
[source::/home/abc/splunk-test/test.txt]
TRANSFORMS-routing=monitoring
**transforms.conf**
[monitoring]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=monitoring_tcp
**outputs.conf**
[tcpout]
defaultGroup=group_a
[tcpout:group_a]
disabled=true
[tcpout:monitoring_tcp]
sendCookedData=false
server=x.x.x.x:514
**Approach 2:** use inputs.conf and outputs.conf (I deleted everything from props and transforms)
**inputs.conf**
[default]
host=abc
[monitor:///home/abc/splunk-test/test.txt]
_TCP_ROUTING=monitoring_tcp
**outputs.conf**
[tcpout]
defaultGroup=group_a
[tcpout:group_a]
disabled=true
[tcpout:monitoring_tcp]
sendCookedData=false
server=x.x.x.x:514
↧