splunk diode ietf

outputs.conf

#Because audit trail is protected and we can't transform it we can not use default we must use tcp_routing
[tcpout]
defaultGroup = NoForwarding

[tcpout:nexthop]
server = localhost:9000
sendCookedData = false

props.conf

[default]
ADD_EXTRA_TIME_FIELDS = none
ANNOTATE_PUNCT = false
SHOULD_LINEMERGE = false
TRANSFORMS-zza-syslog = syslog_canforward, metadata_meta,  metadata_source, metadata_sourcetype, metadata_index, metadata_host, metadata_subsecond, metadata_time, syslog_prefix, syslog_drop_zero
# The following applies for TCP destinations where the IETF frame is required
TRANSFORMS-zzz-syslog = syslog_octal, syslog_octal_append
# Comment out the above and uncomment the following for udp
#TRANSFORMS-zzz-syslog-udp = syslog_octal, syslog_octal_append, syslog_drop_zero

[audittrail]
# We can't transform this source type its protected
TRANSFORMS-zza-syslog =
TRANSFORMS-zzz-syslog =

transforms.conof

[syslog_canforward]
REGEX = ^.(?!audit)
DEST_KEY = _TCP_ROUTING
FORMAT = nexthop

[metadata_meta]
SOURCE_KEY = _meta
REGEX = (?ims)(.*)
FORMAT = ~~~SM~~~$1~~~EM~~~$0 
DEST_KEY = _raw

[metadata_source]
SOURCE_KEY = MetaData:Source
REGEX = ^source::(.*)$
FORMAT = s="$1"] $0
DEST_KEY = _raw

[metadata_sourcetype]
SOURCE_KEY = MetaData:Sourcetype
REGEX = ^sourcetype::(.*)$
FORMAT = st="$1" $0
DEST_KEY = _raw

[metadata_index]
SOURCE_KEY = _MetaData:Index
REGEX = (.*)
FORMAT = i="$1" $0
DEST_KEY = _raw

[metadata_host]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = " h="$1" $0
DEST_KEY = _raw

[syslog_prefix]
SOURCE_KEY = _time
REGEX = (.*)
FORMAT = <1>1 - - SPLUNK - COOKED [fields@274489 $0
DEST_KEY = _raw

[metadata_time]
SOURCE_KEY = _time
REGEX = (.*)
FORMAT =  t="$1$0
DEST_KEY = _raw

[metadata_subsecond]
SOURCE_KEY = _meta
REGEX = \_subsecond\:\:(\.\d+)
FORMAT = $1 $0
DEST_KEY = _raw

[syslog_octal]
INGEST_EVAL= mlen=length(_raw)+1

[syslog_octal_append]
INGEST_EVAL = _raw=mlen + " " + _raw

[syslog_drop_zero]
INGEST_EVAL = queue=if(mlen<10,"nullQueue",queue)