I'm struggling to forward only parts of Splunk's license_usage.log. Please consider the following config and tell me whether I'm misunderstanding something. The splunkd.log keeps silent about this and I don't know how to troubleshoot it. Many thanks!
#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set = setnull,routeSubset
#transforms.conf
[setnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[routeSubset]
REGEX=cust_pool01
DEST_KEY=_TCP_ROUTING
#outputs.conf
[tcpout]
disabled=false
sendCookedData=false
server=<receiver>:<port>
I ended up with this as a seemingly working version
#props.conf
[source::.../var/log/splunk/(license_usage).log(.\d+)?]
TRANSFORMS-set=routeSubset
#transforms.conf
[routeSubset]
REGEX= cust_pool01
DEST_KEY= _TCP_ROUTING
FORMAT= Subsidiary
#outputs.conf
[tcpout]
defaultGroup=nullGroup
indexAndForward=1
[tcpout:nullGroup]
disabled=true
server=0.0.0.0:0000
[tcpout:Subsidiary]
disabled=false
sendCookedData=true
server=<server>:<ip>