Getting Data In

drop specific eventcode for specific destination

Raghavsri
Loves-to-Learn Lots

we have one HF , configured to routing into 3 destinations 

2 * syslogNG

1* Splunk HF cluster

our requirement is to drop the specific eventcode 33205 from windows logs , to the one syslogNG destination .. but the same eventcode, need to be recieved by another syslogNG and splunk HF cluster .
when I try to configure, it drop the eventcode for all destinations if i use below entries

 

Props.conf

[source::WinEventLog:Application]
TRANSFORMS-routing = drop_sqld

Transforms.conf

[drop_sqld]
REGEX = (?i)EventCode=33205
DEST_KEY = _raw
FORMAT = nullQueue


can you help on this possiblity ?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You need to manipulate the _SYSLOG_ROUTING key, not queue (and definitely not _raw!)

0 Karma

Raghavsri
Loves-to-Learn Lots

okay thanks, but we have 2 syslog destinations in this intermediate HF ..both syslogNG's destination key configured as _syslog_routing
Need to block the specific windows event code in one syslogNG and need to forward that eventcode in another syslogNG ..
for both syslogNG destinations , configured in different output group in outputs.conf

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...