Deployment Architecture

How to reset the _TCP_ROUTING dest key

efika
Communicator

Please assume the below in transforms.conf

[send_rawevents]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1

[send_to_null_tcp]
REGEX = CEF\:0\|ids
DEST_KEY = _TCP_ROUTING
FORMAT = nothing

[send_to_syslog]
REGEX = CEF\:0\|ids
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_group

The objective here is to send all event to the tcp out unless they match the regex CEF:0|ids in which case events should be sent to the syslog out.

What I can't sort out is how to reset the _TCP_ROUTING back to nothing in those events that are routed to syslog (since I don't want to have them duplicated).

Anyone has any idea here ?

Thanks !

(More details can be found here : https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/)

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...