I think this syntax is specific to rsyslog (which you probably have) When you put it in the conf, make sure it is above the line for the messages file
if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN') and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log & @splunkserver.intranet & ~ That is 3 lines, in case it wraps. Line 1) I am filtering out messages that are created by a specific data-collector service account (connects every 5 minutes) and a specific informational message. Make sure and setup logrotation for this log Line 2) Duplicate the log msg previously described and also send it to "splunkserver.intranet" Line 3) Any log already filtered, do not include in any further logging. This prevents TSM logs from also showing up in the messages file but needs to be before the messages line in the conf for this to work. This sends the message using the standard syslog protocol to "splunkserver.intranet". That server receives the message using the its own standard rsyslog installation (needs to be configured to receive syslog) Then splunk will monitor the messages file and load it into the index. You can then use splunk filters if you want to move it to a separate index or whatever. I have all the TSM/DataDomain stuff going into an isolated index. I think splunk can be configured to receive syslog messages directly but we don't do it that way (I don't run the splunk server) On 8/23/2017 3:56 PM, Remco Post wrote:
Tell me more, please. I'm quite sure that there is Splunk in my future as well, can you share your syslog config?