Hello,

I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong.

The scenario I have is there are multiple hosts with the Splunk agent installed on it and we're currently logging that data to our Splunk indexers + a syslog server. For a short period of time, I want to send a subset of logs only to syslog but I can't seem to get that to work.

Below is my current config on my heavy forwarders. I expect this to send all hosts with server* to Splunk and syslog but only endpoint* to syslog.

Right now no matter what I do, everything still goes to Splunk. I even fully commented out the routeSubset section and "splunk reload deploy-server" and I still got those logs in Splunk

Any thoughts would be greatly appreciated.

props.conf
[source::WinEventLog:Security]
TRUNCATE = 0
SEDCMD-win = s/(?mis)(Token\sElevation\sType\sindicates|This\sevent\sis\sgenerated).*$//g
TRANSFORMS-routing = routeSubset, routeSubset2

transforms.conf

[routeSubset]
SOURCE_KEY=MetaData:Host
REGEX=(?i)^server[0-9][0-9].*
DEST_KEY=_TCP_ROUTING
FORMAT=splunkssl

[routeSubset2]
SOURCE_KEY=MetaData:Host
REGEX=(?i)(.*endpoint[0-9][0-9].*|^server[0-9][0-9].*)
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_server