Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

drop specific eventcode for specific destination

Raghavsri
Loves-to-Learn Lots
‎09-04-2025 08:23 PM

we have one HF , configured to routing into 3 destinations 

2 * syslogNG

1* Splunk HF cluster

our requirement is to drop the specific eventcode 33205 from windows logs , to the one syslogNG destination .. but the same eventcode, need to be recieved by another syslogNG and splunk HF cluster .
when I try to configure, it drop the eventcode for all destinations if i use below entries

 

Props.conf

[source::WinEventLog:Application]
TRANSFORMS-routing = drop_sqld

Transforms.conf

[drop_sqld]
REGEX = (?i)EventCode=33205
DEST_KEY = _raw
FORMAT = nullQueue


can you help on this possiblity ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-04-2025 11:35 PM

You need to manipulate the _SYSLOG_ROUTING key, not queue (and definitely not _raw!)

0 Karma
Reply

Raghavsri
Loves-to-Learn Lots
‎09-04-2025 11:40 PM

okay thanks, but we have 2 syslog destinations in this intermediate HF ..both syslogNG's destination key configured as _syslog_routing
Need to block the specific windows event code in one syslogNG and need to forward that eventcode in another syslogNG ..
for both syslogNG destinations , configured in different output group in outputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...