×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
central1
Explorer
Member since: ‎07-27-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎07-27-2011
View All

Re: Can you help me with my routing and filtering ...

by in Deployment Architecture
‎10-29-2018 04:56 PM
1 Karma
‎10-29-2018 04:56 PM
1 Karma
I get it now. We're building a single transform stanza out of the two based on ordering and precedence rules. Thank you!!!! Your help made all the difference. ... View more

Re: Can you help me with my routing and filtering ...

by in Deployment Architecture
‎10-29-2018 04:24 PM
‎10-29-2018 04:24 PM
My confusion then comes in how I understand the two transforms are used. I thought each transform is applied to each event. You're saying they are NOT. If an event matches the 'routeSubset' transform, it won't be evaluated against the 'routeAll' transform?? Isn't ordering important? How does the ordering of the transforms in the props.conf file work then? ... View more

Can you help me with my routing and filtering ques...

by in Deployment Architecture
‎10-26-2018 10:20 AM
‎10-26-2018 10:20 AM
I have a requirement to send certain filtered log events on to a 3rd party in addition to indexing the events locally. I've followed this example http://docs.splunk.com/Documentation/Splunk/7.2.0/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system My solution works great. However, I don't quite understand why. To use Splunk's example, why don't I see duplicate (SYSTEM|CONFIG|THREAT) events in my local indexer?? Doesn't the 'routeAll' transform get hit for every event and therefore forwards all events to the 'Everything' destinations? Why does the 'routeSubset' transform need to forward matching events to both 'Subsidiary' AND 'Everything'? props.conf [syslog] TRANSFORMS-routing = routeAll, routeSubset transforms.conf [routeAll] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=Everything [routeSubset] REGEX=(SYSTEM|CONFIG|THREAT) DEST_KEY=_TCP_ROUTING FORMAT=Subsidiary,Everything ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All