Hello, I've ready a ton of forums posts regarding this but I still cannot get it to work so I'm hoping someone could point out what I'm doing wrong. The scenario I have is there are multiple hosts with the Splunk agent installed on it and we're currently logging that data to our Splunk indexers + a syslog server. For a short period of time, I want to send a subset of logs only to syslog but I can't seem to get that to work. Below is my current config on my heavy forwarders. I expect this to send all hosts with server* to Splunk and syslog but only endpoint* to syslog. Right now no matter what I do, everything still goes to Splunk. I even fully commented out the routeSubset section and "splunk reload deploy-server" and I still got those logs in Splunk Any thoughts would be greatly appreciated. props.conf [source::WinEventLog:Security] TRUNCATE = 0 SEDCMD-win = s/(?mis)(Token\sElevation\sType\sindicates|This\sevent\sis\sgenerated).*$//g TRANSFORMS-routing = routeSubset, routeSubset2 transforms.conf [routeSubset] SOURCE_KEY=MetaData:Host REGEX=(?i)^server[0-9][0-9].* DEST_KEY=_TCP_ROUTING FORMAT=splunkssl [routeSubset2] SOURCE_KEY=MetaData:Host REGEX=(?i)(.*endpoint[0-9][0-9].*|^server[0-9][0-9].*) DEST_KEY=_SYSLOG_ROUTING FORMAT=syslog_server ... View more

I've done quite a bit of research on this top and I've found this post from a few years ago which references George Starcher's blog post about it. I've gotten quite a ways into it but I've ran into an issue using my new search macro in the "Incident Review - Main" search. Below are the steps I've completed so far. Created a VirusTotal Adaptive Response Action that auto queries the domain of the notable event. This is working very well and I can get the results if I click on my VT notable event. I created a vtpositives(1) macro that looks like this (I know it's not best practices for some of my search items, this is just a dev system) search index=_* OR index=* VirusTotal "queried url" $query$ source!=audittrail | table positives When I run the macro from a search and input the URL, it shows the number of positive hits that VirusTotal shows up, which is the field I want to show up in additional fields under the notable event. I modified the "Incident Review - Main" search to add vtpositives(1) right before the risk_correlation field that is currently last. I have tried both with the (1) and without it. I know that the "query" field populates correctly within the notable event and the VirusTotal results. Once I go to click on the notable events, the page is 100% blank. It does not like my macro at all and prevents any search results from coming up. So my real question is how do I get the positives field out of my search macro and into the notable event? For some reason my URLs are not working above so here they are. - https://answers.splunk.com/answers/481995/splunk-enterprise-security-how-to-add-fields-to-no.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev - http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/ ... View more