Getting Data In

Route Windows events in RFC3614 format to splunk and Syslog format to syslog reciever.

Path Finder


we are trying to route windows security event logs from UF's to Splunk indexers and also to a syslog aggregator.

we would like to read the event log only once on the UF and are using a HF as interim relay to route data to desired locations.

On UF we have the Splunk_TA_Windows application deployed

On HF we have a outputs.conf:
connectionTimeout = 45
defaultGroup = all_indexers
forwardedindex.0.whitelist = .*

autoLB = true
server = IDX1:9997, IDX2:9997

connectionTimeout = 45

server = Syslog1:514

TRANSFORMS-routing = WinSecEvent-Splunk,WinSecEvent-Syslog
SEDCMD = s/[\t\n\r]/ /g


REGEX = (.)
FORMAT = all_indexers

REGEX = (.)
FORMAT = clf_syslog_group

The above configuration works fine until the part where it routes data to different output groups.

However, I would like the splunk indexed logs would still be in the RFC 3614 or splunk parsed format but have events on syslog as normalized using above props.

is this a possibility? how do we apply two parsing patterns for one sourcetype? - maybe based on the output group?

please advise.


0 Karma
Get Updates on the Splunk Community!

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...