Hi all,

i have a Splunk indexer (version 6.2.14) that receives events from a Splunk forwarder (same version). On the forwarder I have a monitor that reads some files from local filesystem and forwards a subset of them to the indexer. The indexer receives events on a TCP over TLS port and indexes the evens with no problem. Filter on the forwarder works as expected. Now I need to continue to index all that comes from the forwarder, but moreover I need to forward a subset of events received to a third-party destination with TCP (no TLS) protocol. Here is the config I have build:

*FORWARDER
outputs.conf
*

[tcpout]
defaultGroup = <INDEXER_IP>_9999
sslCertPath = /...
sslRootCAPath = /...
sslVerifyServerCert=false
maxQueueSize = 100MB
forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection)

[tcpout:<INDEXER_IP>_9999]
autoLB = false
server = <INDEXER_IP>:9999

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

[CA]
REGEX = (?s)\d+\s\[-(?:07628|07777|07649|07675|07676|07697|07698|07705|07714|07717|07718|07719|07724|07725|97726|07727|07734|07751|07753|07765|07767|07783|07792|07816|07819|07824|07827|07836|07841|07842|07849|07854|07884|07886|07888|07889|07895|07896|07899|07900|07901|07903|07914|07916|07929|07930|07932|07933|07943|07948|07951|07952|07953|07954|07955|07956|07960|07963|07964|07966|07968|07972|07984|07965|07823|07977|07941|07992|07982|07981|07979|07994|07647|07840|07790|07756|07743|07744|07989|07990|07993|07618)\s
DEST_KEY = queue
FORMAT = indexQueue

[udpsyslog]
REGEX = .*\]\: Accepted password.*|.*\)\: session closed.*|.*\)\: session opened.*|.*\)\: authentication failure.*|.*\]\: Failed     password for.*|.*\: invalid user.*|.*\: password changed for.*
DEST_KEY = queue
FORMAT = indexQueue

inputs.conf

[default]
host = <FORWARDER>

[monitor:///tmp/file.log]
time_before_close = 15
disabled = false
followTail = 0
sourcetype = CA

INDEXER:
inputs.conf

[default]
host = <INDEXER>

[splunktcp-ssl:9999]
_INDEX_AND_FORWARD_ROUTING=STRING
_TCP_ROUTING=my_syslog_ca

[SSL]
cipherSuite = TLSv1.2+HIGH:!3DES:@STRENGTH
password = **********
requireClientCert = false
rootCA = /...
serverCert = /...
sslVersions = tls1.2

outputs.conf

[indexAndForward]
index=true
selectiveIndexing=true

[tcpout]
defaultGroup=my_syslog_ca
forwardedindex.3.blacklist = (_internal|_audit|_telemetry|_introspection)

[my_syslog_ca]
indexAndForward = true

[tcpout:my_syslog_ca]
disabled=false
sendCookedData=false
server=<THIRD_PARTY_IP>:9999

props.conf

[source::/tmp/file.log]
TRANSFORMS-ca=send_to_syslog_ca

transforms.conf

[send_to_syslog_ca]
REGEX = (?!.*\[-07965.*Client type: GUI.*Operator\/CMS).*\[-07965.*Client type: GUI.*|(?!.*\[-07966.*Client type: GUI.*Operator\/CMS).*\[-07966.*Client type: GUI.*|.*\[-07968.*|.*ALARM.*|.*\[-07963.*|.*\[-07964.*|.*\[-07972.*|.*\[-07792.*|(?!.*\[-07841.*Nearing expiration).*\[-07841.*|(?!.*\[-07842.*Nearing expiration).*\[-07842.*|(?!.*\[-07895.*Nearing expiration).*\[-07895.*|.*\[-07968.*
DEST_KEY=_TCP_ROUTING
FORMAT=my_syslog_ca

As said, on the forwarder everything works as expected, events are read, filtered and sent to indexer. The indexer index the filtered events received with no issues. The problem is that the filter while sending the events to the third party does not works. The indexer sends everything to the third party, not only the events defined on the regex in the indexer's transforms. What am I doing wrong?

Thanks in advance.

Alessandro