Hi @Adpafer , as I said, tcpout is a configuration to send logs from Splunk to another Splunk Indexer, not using syslogs, to use syslogs, you can use the method described in my above url. What's your architecture: have you a distributed architecture (Searche Heads and Indexers) or a standalone instance? As I described, the solution depends on it. probably you need the activity of a Splunk Architect to design your flow. Ciao. Giuseppe

It is not my decision. The requirement is to send logs from indexer. I did dedicated app on indexer to send logs from one index to qradar port 514 and it works fine: outputs.conf: [tcpout] forwardedindex.3.blacklist = (.*) forwardedindex.4.whitelist = (indexA) [tcpout:tcp_qradar_10_10_10_10_514] disabled = false sendCookedData = false server = 10.10.10.10:514   props.conf: [source::9997] TRANSFORMS-routing = send_to_qradar_tcp_10_10_10_10_514   transforms.conf [send_to_qradar_tcp_10_10_10_10_514] DEST_KEY = _TCP_ROUTING FORMAT = tcp_qradar_10_10_10_10_514 REGEX = .   And now I have to add another rule for indexB to be forwarded from indexer to the same IP but port 12468. I do not how  to do it   regards, pawelF  

Hi MC is the best option to start that analysing, but as is has limited to some amount of indexes etc. and you probably want to see more you can use it easily as a starting point! Just select e.g what @richgalloway said and then click that small magnifying glass on bottom of panel and it will open you a search window where you could modify that search as you need. You could e.g. show more individual indexes or extend historic time etc. with your "own" search. r. Ismo

Hi @Adpafer, I suppose that you're sèeaking of forwarding by syslog. the configurations you used are for sending logs to other Indexers not to a third party In this case, you should follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#Send_a_subset_of_data_to_a_syslog_server  Usually this configuration is used on Heavy Forwarders, not on Indexers, have you HFs in your architecture? if yes, you can configure them as described in the above documentation, if not, you could use the Syslog Mod Alert App (https://splunkbase.splunk.com/app/4199), even if isn't certified on Splunk 9.x, but on Search Heads, not on Indexers. Ciao. Giuseppe

Hi at search time you could use DELIMS with props.conf & transforms.conf DELIMS = <quoted string list> * NOTE: This setting is only valid for search-time field extractions. * IMPORTANT: If a value may contain an embedded unescaped double quote character, such as "foo"bar", use REGEX, not DELIMS. An escaped double quote (\") is ok. Non-ASCII delimiters also require the use of REGEX. * Optional. Use DELIMS in place of REGEX when you are working with ASCII-only delimiter-based field extractions, where field values (or field/value pairs) are separated by delimiters such as colons, spaces, line breaks, and so on. * Sets delimiter characters, first to separate data into field/value pairs, and then to separate field from value. * Each individual ASCII character in the delimiter string is used as a delimiter to split the event. * Delimiters must be specified within double quotes (eg. DELIMS="|,;"). Special escape sequences are \t (tab), \n (newline), \r (carriage return), \\ (backslash) and \" (double quotes). * When the event contains full delimiter-separated field/value pairs, you enter two sets of quoted characters for DELIMS: * The first set of quoted delimiters extracts the field/value pairs. * The second set of quoted delimiters separates the field name from its corresponding value. * When the event only contains delimiter-separated values (no field names), use just one set of quoted delimiters to separate the field values. Then use the FIELDS setting to apply field names to the extracted values. * Alternately, Splunk software reads even tokens as field names and odd tokens as field values. * Splunk software consumes consecutive delimiter characters unless you specify a list of field names. * The following example of DELIMS usage applies to an event where field/value pairs are separated by '|' symbols and the field names are separated from their corresponding values by '=' symbols: [pipe_eq] DELIMS = "|", "=" * Default: "" But on ingesting time you must use REGEX to separate those if needed. Are you sure that you need this on ingest time and search time is not enough? r. Ismo

why are you trying to forward from indexing layer and not from forwarding layer directly. setup the outputs in HF or SF to send data to qradar and splunk instead of from indexers. Ideally I would do that.

Nice to hear that you found solution or actually several. You should remember that with splunk there are almost always several ways to do things, not only one! When you need to select "the best" one, you should look performance etc. from job inspector to understand better how those are working. Happy Splunking!