I think this syntax is specific to rsyslog (which you probably have)
When you put it in the conf, make sure it is above the line for the
messages file

if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN')
and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log
& @splunkserver.intranet
& ~

That is 3 lines, in case it wraps.
Line 1) I am filtering out messages that are created by a specific
data-collector service account (connects every 5 minutes) and a specific
informational message.  Make sure and setup logrotation for this log
Line 2) Duplicate the log msg previously described and also send it to
"splunkserver.intranet"
Line 3) Any log already filtered, do not include in any further logging.
This prevents TSM logs from also showing up in the messages file but
needs to be before the messages line in the conf for this to work.


This sends the message using the standard syslog protocol to
"splunkserver.intranet".  That server receives the message using the its
own standard rsyslog installation (needs to be configured to receive
syslog)  Then splunk will monitor the messages file and load it into the
index.  You can then use splunk filters if you want to move it to a
separate index or whatever. I have all the TSM/DataDomain stuff going
into an isolated index.  I think splunk can be configured to receive
syslog messages directly but we don't do it that way (I don't run the
splunk server)



On 8/23/2017 3:56 PM, Remco Post wrote:

Tell me more, please. I'm quite sure that there is Splunk in my future as well, 
can you share your syslog config?