https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597411#M104304 <P>The configuration provided in the link should be the way to go. Just make sure that you chose appropriate source ([source::YourSource]) OR sourcetype in props.conf.</P><P>Another example:</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-on-the-Heavy-Forwarder-to-separate/m-p/216971" target="_blank">https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-on-the-Heavy-Forwarder-to-separate/m-p/216971</A></P> Wed, 11 May 2022 14:11:41 GMT somesoni2 2022-05-11T14:11:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597398#M104300 <P>Hi Community,</P> <P>I have the need to filter data based on a specific field value and route to a different group of indexers.</P> <P>Data is coming through HEC configured on a Heavy Forwarder like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">[http://tokenName] index = main indexes = main outputgroup = my_indexers sourcetype = _json token = &lt;string&gt; source = mysource</LI-CODE> <P>&nbsp;</P> <P>I'd like to use props.conf and transforms.conf as suggested <A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups" target="_self">here</A>&nbsp;like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">props.conf [source::mysource] TRANSFORMS-routing=otherIndexersRouting transforms.conf [otherIndexersRouting] REGEX=\"domain\"\:\s\"CARD\" DEST_KEY=_TCP_ROUTING FORMAT=other_indexers</LI-CODE> <P>&nbsp;</P> <P>In outputs.conf I'd add the stanza [tcpOut:other_indexers]</P> <P>&nbsp;</P> <P>Is this possible? Is there another way to achieve this goal?</P> <P>&nbsp;</P> <P>Thank you</P> <P>Marta</P> Wed, 11 May 2022 15:41:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597398#M104300 martaBenedetti 2022-05-11T15:41:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597409#M104303 <P>Close.</P><P>You need to specify the stanza in props.conf as</P><PRE>[source::mysource]</PRE><P>Then you can call appropriate transforms from there.</P><P>Keep in mind though that the hierarchy is source-&gt;host-&gt;sourcetype so if you have - for example - your host field overwritten based on data from the raw event in a transform called from sourcetype-based stanza, you won't be able to use this host value as selector.</P> Wed, 11 May 2022 14:07:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597409#M104303 PickleRick 2022-05-11T14:07:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597411#M104304 <P>The configuration provided in the link should be the way to go. Just make sure that you chose appropriate source ([source::YourSource]) OR sourcetype in props.conf.</P><P>Another example:</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-on-the-Heavy-Forwarder-to-separate/m-p/216971" target="_blank">https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-on-the-Heavy-Forwarder-to-separate/m-p/216971</A></P> Wed, 11 May 2022 14:11:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597411#M104304 somesoni2 2022-05-11T14:11:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597415#M104306 <P>I was afraid the solution couldn't work with HTTP event collector since I've only used this configuration with classic monitor inputs.</P><P>&nbsp;</P><P>The source stanza was just a typo, I've corrected it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Thank you</P><P>Marta</P> Wed, 11 May 2022 14:25:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597415#M104306 martaBenedetti 2022-05-11T14:25:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597417#M104307 <P>The source stanza was just a typo, I've corrected it<SPAN>&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P>Thank you</P><P>Marta</P> Wed, 11 May 2022 14:25:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-and-filter-data-from-HEC/m-p/597417#M104307 martaBenedetti 2022-05-11T14:25:52Z