Deployment Architecture

How to reset the _TCP_ROUTING dest key

efika
Communicator

Please assume the below in transforms.conf

[send_rawevents]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1

[send_to_null_tcp]
REGEX = CEF\:0\|ids
DEST_KEY = _TCP_ROUTING
FORMAT = nothing

[send_to_syslog]
REGEX = CEF\:0\|ids
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_group

The objective here is to send all event to the tcp out unless they match the regex CEF:0|ids in which case events should be sent to the syslog out.

What I can't sort out is how to reset the _TCP_ROUTING back to nothing in those events that are routed to syslog (since I don't want to have them duplicated).

Anyone has any idea here ?

Thanks !

(More details can be found here : https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/)

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...