How to configure splunk HF to route the events whi...

Splunk Search

Hello Community,

We have 2 target groups to route events.(2 indexers, one is ours and other 3rd party)

i want to configure Splunk HF to route events which does not contain particular keyword, ( like a NOT operation) to one target group and all events to other target group

For example below should be my transforms.conf except that i am not sure about the Regex command.

transforms.conf

[specific_events]
REGEX = "NOT ping"
DEST_KEY = _TCP_ROUTING
FORMAT = specific_event_targetgroup

[all_events]

REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = all_event_targetgroup

I have tried few Regex commands ^(?!.*ping).* and ^((?!ping).)*$ which worked in regex101 and splunk UI search but not in the conf files. Once i have applied these regex commands to conf file, no events were reaching indexers. Can someone help on this?

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...