https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397436#M70849 <P>I checked my transforms.conf and the two _TCP_ROUTING are from my [index01] and [index02] stanzas</P> <P>And on my props.conf I can see my transformation applied.</P> <P>/opt/splunk/etc/apps/hf/local/props.conf [browser]<BR /> /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True<BR /> /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = <BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8<BR /> /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /opt/splunk/etc/system/default/props.conf HEADER_MODE = <BR /> /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true<BR /> /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true<BR /> /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100<BR /> /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800<BR /> /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256<BR /> /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128<BR /> /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = <BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = <BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = <BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard<BR /> /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True<BR /> /opt/splunk/etc/system/default/props.conf TRANSFORMS = <BR /> /opt/splunk/etc/apps/hf/local/props.conf TRANSFORMS-routing = index02<BR /> /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000<BR /> /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false<BR /> /opt/splunk/etc/system/default/props.conf maxDist = 100<BR /> /opt/splunk/etc/system/default/props.conf priority = <BR /> /opt/splunk/etc/system/default/props.conf sourcetype = </P> Tue, 29 Sep 2020 19:32:07 GMT lit_gustavo 2020-09-29T19:32:07Z https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397432#M70845 <P>Hi guys I tried hard here and read some docs:<BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf">https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf</A>)<BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Propsconf</A>)<BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Transformsconf">https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Transformsconf</A>)<BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Outputsconf">https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Outputsconf</A>)<BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Forwarddatatothird-partysystemsd">https://docs.splunk.com/Documentation/Splunk/7.1.0/Forwarding/Forwarddatatothird-partysystemsd</A>)<BR /> (<A href="https://answers.splunk.com/answers/474297/how-to-route-and-filter-data-on-the-heavy-forwarde.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev">https://answers.splunk.com/answers/474297/how-to-route-and-filter-data-on-the-heavy-forwarde.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev</A>)</P> <P>But I don´t know what I am doing wrong. I just have to send data to different indexers, but my Heavy Forwarder is clonning the data (I need some of data on indexer01 and the other on indexer02).</P> <P>Here is my inputs.conf (all configs on my Heavy Forwarder)</P> <PRE><CODE>[splunktcp://9997] </CODE></PRE> <P>Here is my props.conf</P> <PRE><CODE>[host::SRVPRD0001] TRANSFORMS-routing = index01 [host::SRVPRD0002] TRANSFORMS-routing = index02 [host::SRVPRD0003] TRANSFORMS-routing = index02 [host::SRVPRD0004] TRANSFORMS-routing = index02 [host::SRVPRD0005] TRANSFORMS-routing = index02 </CODE></PRE> <P>Here my transforms.conf</P> <PRE><CODE>[index01] REGEX= . DEST_KEY=_TCP_ROUTING FORMAT=sendtoidx01 [index02] REGEX= . DEST_KEY=_TCP_ROUTING FORMAT=sendtoidx02 </CODE></PRE> <P>Here my outputs.conf</P> <PRE><CODE>[default] indexAndForward=false [tcpout:sendtoidx01] disabled=false server=192.168.1.73:9997 [tcpout:sendtoidx02] disabled=false server=192.168.1.72:9997 </CODE></PRE> Mon, 14 May 2018 02:11:39 GMT https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397432#M70845 lit_gustavo 2018-05-14T02:11:39Z https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397433#M70846 <P>Any chance that your props stanzas don't match? Everything else looks fine to me...</P> Mon, 14 May 2018 08:29:35 GMT https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397433#M70846 xpac 2018-05-14T08:29:35Z https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397434#M70847 <P>Hi xpac, I changed the stanza on my props.conf to <A href="https://community.splunk.com/the%20data%20sourcetype">browser</A></P> <P>[browser]<BR /> TRANSFORMS-routing = index02</P> <P>That way all data should flow only to index02, however my heavy forwarder still splits the data.</P> Mon, 14 May 2018 13:59:06 GMT https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397434#M70847 lit_gustavo 2018-05-14T13:59:06Z https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397435#M70848 <P>Mhh, I'd try a <CODE>splunk btool props list</CODE> or <CODE>splunk show config props</CODE>to see if the config is actually applied, or if anything is applied after those transforms that might reset the _TCP_ROUTING variable...</P> Tue, 29 Sep 2020 19:28:33 GMT https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397435#M70848 xpac 2020-09-29T19:28:33Z https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397436#M70849 <P>I checked my transforms.conf and the two _TCP_ROUTING are from my [index01] and [index02] stanzas</P> <P>And on my props.conf I can see my transformation applied.</P> <P>/opt/splunk/etc/apps/hf/local/props.conf [browser]<BR /> /opt/splunk/etc/system/default/props.conf ANNOTATE_PUNCT = True<BR /> /opt/splunk/etc/system/default/props.conf AUTO_KV_JSON = true<BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE = <BR /> /opt/splunk/etc/system/default/props.conf BREAK_ONLY_BEFORE_DATE = True<BR /> /opt/splunk/etc/system/default/props.conf CHARSET = UTF-8<BR /> /opt/splunk/etc/system/default/props.conf DATETIME_CONFIG = /etc/datetime.xml<BR /> /opt/splunk/etc/system/default/props.conf HEADER_MODE = <BR /> /opt/splunk/etc/system/default/props.conf LEARN_MODEL = true<BR /> /opt/splunk/etc/system/default/props.conf LEARN_SOURCETYPE = true<BR /> /opt/splunk/etc/system/default/props.conf LINE_BREAKER_LOOKBEHIND = 100<BR /> /opt/splunk/etc/system/default/props.conf MATCH_LIMIT = 100000<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_AGO = 2000<BR /> /opt/splunk/etc/system/default/props.conf MAX_DAYS_HENCE = 2<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_AGO = 3600<BR /> /opt/splunk/etc/system/default/props.conf MAX_DIFF_SECS_HENCE = 604800<BR /> /opt/splunk/etc/system/default/props.conf MAX_EVENTS = 256<BR /> /opt/splunk/etc/system/default/props.conf MAX_TIMESTAMP_LOOKAHEAD = 128<BR /> /opt/splunk/etc/system/default/props.conf MUST_BREAK_AFTER = <BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_AFTER = <BR /> /opt/splunk/etc/system/default/props.conf MUST_NOT_BREAK_BEFORE = <BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION = indexing<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-all = full<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-inner = inner<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-outer = outer<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-raw = none<BR /> /opt/splunk/etc/system/default/props.conf SEGMENTATION-standard = standard<BR /> /opt/splunk/etc/system/default/props.conf SHOULD_LINEMERGE = True<BR /> /opt/splunk/etc/system/default/props.conf TRANSFORMS = <BR /> /opt/splunk/etc/apps/hf/local/props.conf TRANSFORMS-routing = index02<BR /> /opt/splunk/etc/system/default/props.conf TRUNCATE = 10000<BR /> /opt/splunk/etc/system/default/props.conf detect_trailing_nulls = false<BR /> /opt/splunk/etc/system/default/props.conf maxDist = 100<BR /> /opt/splunk/etc/system/default/props.conf priority = <BR /> /opt/splunk/etc/system/default/props.conf sourcetype = </P> Tue, 29 Sep 2020 19:32:07 GMT https://community.splunk.com/t5/Getting-Data-In/Route-data-on-Heavy-Forwarder-is-not-working/m-p/397436#M70849 lit_gustavo 2020-09-29T19:32:07Z