Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Need help with TCP routing of events from Universal Forwarder

joshuapetitt
Path Finder
‎02-26-2026 08:15 AM

Hi all,

I'm using Splunk Enterprise 9.4.x with Windows Universal Forwarders.

I'm trying to route specific sources and sourcetypes to a special Splunk Indexer, while all other events are routed to the default Indexer.

I have the following outputs.conf on the UF

[tcpout]
defaultGroup = splunkssl # this is defined in another outputs.conf and this works

[tcpout:special]
server = 1.2.3.4:9998

[tcpout-server://1.2.3.4:9998]
sslRootCAPath = # custom cert
sslVerifyServerCert = true
sslCommonNameToCheck = # custom common name
altCommonNameToCheck = 1.2.3.4
 
I have the following props.conf on the UF
 
[source::WinEventLog:Microsoft-Windows-PowerShell/Operational]
TRANSFORMS-route = route_to_special
 

I have the following transforms.conf on the UF

[route_to_special]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = special
 
What I am seeing is that the _internal logs are being sent to the special Indexer, but no other events.
The WinEventLog:Microsoft-Windows-PowerShell/Operational are still being sent to the default Indexer.
 
What am I doing wrong?
Should I expect this to work? 
Should this work for WinEventLog inputs?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-26-2026 08:35 AM

Hi @joshuapetitt 

A UF doesnt typically perform transformations such as those you are trying to do because it isnt done during the phases of ingest that the UF performs. 

Instead you could set the _TCP_ROUTING value for your input such as:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
... the rest of your config...
_TCP_ROUTING = special

For more info on this setting see https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.1/configuration-file-ref...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

joshuapetitt
Path Finder
‎02-26-2026 08:54 AM

This works! Thanks for your quick response 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-26-2026 08:35 AM

Hi @joshuapetitt 

A UF doesnt typically perform transformations such as those you are trying to do because it isnt done during the phases of ingest that the UF performs. 

Instead you could set the _TCP_ROUTING value for your input such as:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
... the rest of your config...
_TCP_ROUTING = special

For more info on this setting see https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.1/configuration-file-ref...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...