topic Heavy Forwarded Filtering Hosts in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarded-Filtering-Hosts/m-p/536353#M89911 <P>Hello,</P><P>I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong.</P><P>The scenario I have is there are multiple hosts with the Splunk agent installed on it and we're currently logging that data to our Splunk indexers + a syslog server. For a short period of time, I want to send a subset of logs only to syslog but I can't seem to get that to work.</P><P>Below is my current config on my heavy forwarders. I expect this to send all hosts with server* to Splunk and syslog but only endpoint* to syslog.</P><P>Right now no matter what I do, everything still goes to Splunk. I even fully commented out the&nbsp;routeSubset section and "splunk reload deploy-server" and I still got those logs in Splunk</P><P>Any thoughts would be greatly appreciated.</P><P><STRONG>props.conf</STRONG><BR />[source::WinEventLog:Security]<BR />TRUNCATE = 0<BR />SEDCMD-win = s/(?mis)(Token\sElevation\sType\sindicates|This\sevent\sis\sgenerated).*$//g<BR />TRANSFORMS-routing = routeSubset, routeSubset2</P><P><STRONG>transforms.conf</STRONG></P><P>[routeSubset]<BR />SOURCE_KEY=MetaData:Host<BR />REGEX=(?i)^server[0-9][0-9].*<BR />DEST_KEY=_TCP_ROUTING<BR />FORMAT=splunkssl</P><P>[routeSubset2]<BR />SOURCE_KEY=MetaData:Host<BR />REGEX=(?i)(.*endpoint[0-9][0-9].*|^server[0-9][0-9].*)<BR />DEST_KEY=_SYSLOG_ROUTING<BR />FORMAT=syslog_server</P> Tue, 19 Jan 2021 17:23:58 GMT ericl42 2021-01-19T17:23:58Z Heavy Forwarded Filtering Hosts https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarded-Filtering-Hosts/m-p/536353#M89911 <P>Hello,</P><P>I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong.</P><P>The scenario I have is there are multiple hosts with the Splunk agent installed on it and we're currently logging that data to our Splunk indexers + a syslog server. For a short period of time, I want to send a subset of logs only to syslog but I can't seem to get that to work.</P><P>Below is my current config on my heavy forwarders. I expect this to send all hosts with server* to Splunk and syslog but only endpoint* to syslog.</P><P>Right now no matter what I do, everything still goes to Splunk. I even fully commented out the&nbsp;routeSubset section and "splunk reload deploy-server" and I still got those logs in Splunk</P><P>Any thoughts would be greatly appreciated.</P><P><STRONG>props.conf</STRONG><BR />[source::WinEventLog:Security]<BR />TRUNCATE = 0<BR />SEDCMD-win = s/(?mis)(Token\sElevation\sType\sindicates|This\sevent\sis\sgenerated).*$//g<BR />TRANSFORMS-routing = routeSubset, routeSubset2</P><P><STRONG>transforms.conf</STRONG></P><P>[routeSubset]<BR />SOURCE_KEY=MetaData:Host<BR />REGEX=(?i)^server[0-9][0-9].*<BR />DEST_KEY=_TCP_ROUTING<BR />FORMAT=splunkssl</P><P>[routeSubset2]<BR />SOURCE_KEY=MetaData:Host<BR />REGEX=(?i)(.*endpoint[0-9][0-9].*|^server[0-9][0-9].*)<BR />DEST_KEY=_SYSLOG_ROUTING<BR />FORMAT=syslog_server</P> Tue, 19 Jan 2021 17:23:58 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-Forwarded-Filtering-Hosts/m-p/536353#M89911 ericl42 2021-01-19T17:23:58Z