I am trying to aggregate our windows and Linux logs from universal forwarders to a heavy forwarder, finally, to our internal Splunk indexer as well as to a third-party syslog server. I was able to split up the routing and ports to enable logs to go where they need to (_TCP_ROUTING and _SYSLOG_ROUTING), but the syslog server receives the windows event logs as multiple events (each key value seems to get its own line). How can I use props.conf/transforms.conf to parse only the data being forwarded from the windows port on the heavy forwarder to the windows syslog port? -windows universal forwarder is using [WinEventLog://Security] in inputs.conf and [tcpout://server:] -heavy forwarder is using inputs.conf [splunktcp://] configure_host = dns _TCP_ROUTING = WindowsTCP _SYSLOG_ROUTING = WindowsSyslog outputs.conf [syslog] defaultGroup = WindowsSyslog [syslog:WindowsSyslog] server = syslogserver:514 type = tcp -receiving Linux server is using rsyslog port 514/tcp. ... View more

So my issue is that I am not sure how to get Splunk to separate data on the indexer. I am trying to listen on the forwarder port 514 (for Linux syslog) and 6161 (for windows event logs), I use _tcp_routing to send it to a tcpout targetgroup associated with the indexer ports 9997, and 9998. which allows me to have a splunktcp:// index= for each port. Am I doing this all wrong, and how can I get Splunk to separate the windows and Linux logs into two different indexes? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarder: fwd inputs.conf- [scripts://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled=0 [tcp://514] _TCP_ROUTING=Linux [tcp://6161] _TCP_ROUTING=Windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fwd outputs.conf - [tcpout] defaultGroup=Windows, Linux [tcpout:Windows] server=(server ip):9997 [tcpout:Linux] server=(server ip):9998 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ indexer: index inputs.conf - [default] host = somehost1 [tcp://9997] index=windowseventlogs connection_host=dns [tcp://9998] index=linuxauditlogs connection_host=dns ... View more