Please assume the below in transforms.conf
[send_rawevents] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = indexer1 [send_to_null_tcp] REGEX = CEF\:0\|ids DEST_KEY = _TCP_ROUTING FORMAT = nothing [send_to_syslog] REGEX = CEF\:0\|ids DEST_KEY = _SYSLOG_ROUTING FORMAT = syslog_group
The objective here is to send all event to the tcp out unless they match the regex CEF:0|ids in which case events should be sent to the syslog out.
What I can't sort out is how to reset the _TCP_ROUTING back to nothing in those events that are routed to syslog (since I don't want to have them duplicated).
Anyone has any idea here ?
Thanks !
(More details can be found here : https://www.linkedin.com/pulse/how-make-splunk-heavy-forwarder-reiterate-over-after-changing-efi/)