The output for syslog over TCP and UDP sent on the wire will look like this:
<42>Oct 29 19:12:45 diode-sender t=1540825965|st=splunkd|s=/opt/diode/splunk-sender/var/log/splunk/metrics.log|h=diode-sender|r=10-29-2018 19:12:45.746 +0400 INFO Metrics - .....`
Keep the syslog PRI code and hostname and timestamp to stick to the syslog RFC. Some diodes check format.
The PRI code is 42 for obvious reasons.
This syslog-stanza MUST be called 'diode-syslog-tcp' and is referenced in transforms.conf
PRO: Can handle larger events
CON: Not always supported by diode
[syslog:diode-syslog-tcp] disabled = false server = 127.0.0.1:6003 type = tcp priority = <42> timestampformat = %b %e %H:%M:%S
PRO: Always works
CON: limited to MTU size
This syslog-statement MUST be called 'diode-syslog-udp' and is referenced in transforms.conf
[syslog:diode-syslog-udp] disabled = false server = 127.0.0.1:6004 type = udp priority = <42> timestampformat = %b %e %H:%M:%S
props.conf edit the sourcetypes you want to forward, or use
[default] TRANSFORMS-diode-1-rewrite=add_host, add_source, add_sourcetype, add_time TRANSFORMS-diode-2-outputs=send-to-syslog-udp
1.1 Updated transforms, documentation, etc.
* First release
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.