I want to forward logs to third party system (syslog) without index these data into splunk but i can't accomplish it, help. On my heavy forwarder i set up outputs.conf, transforms.conf, props.conf as follow: outuputs.conf [syslog:my_syslog_group] server = <IP>:PORT transforms.conf [send_to_syslog] REGEX = MY REGEX DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group [not_send_to_syslog] REGEX = MY REGEX DEST_KEY =queue FORMAT =nullQueue props.conf [source::MY_SOURCE] TRANSFORMS-t0=send_to_syslog,not_send_to_syslog In this way logs don't forward to my syslog, they will be just deleted and not indexed. Removing [not_send_to_syslog] from props and transforms data will be indexed on splunk and also forwarded to syslog. How can i achieve my problem, sending data to syslog and not indexing them on splunk? Thanks in advantage to those who will help me.
... View more