How to configure splunk HF to route the events whi...

Splunk Search

Hello Community,

We have 2 target groups to route events.(2 indexers, one is ours and other 3rd party)

i want to configure Splunk HF to route events which does not contain particular keyword, ( like a NOT operation) to one target group and all events to other target group

For example below should be my transforms.conf except that i am not sure about the Regex command.

transforms.conf

[specific_events]
REGEX = "NOT ping"
DEST_KEY = _TCP_ROUTING
FORMAT = specific_event_targetgroup

[all_events]

REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = all_event_targetgroup

I have tried few Regex commands ^(?!.*ping).* and ^((?!ping).)*$ which worked in regex101 and splunk UI search but not in the conf files. Once i have applied these regex commands to conf file, no events were reaching indexers. Can someone help on this?

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...