Hello Splunker, I'm currently working on a new use case and need some helps I'm working on a HF receiving Microsoft Cloud Logs (with https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices) and I would like to forwards those logs to two differents TCP output (Splunk indexers), one with some fields anonymized, and the other without any index time transformation. Here is a schema to help you understand my problem : My thoughts : I currently have a inputs.conf configured on my HF to receive the logs from MS Cloud (with sourcetype set to mscs:azure:eventhub, I think it's compulsory to keep this sourcetype) Then I created props.conf & transforms.conf but should I put two TRANSFORMS-<class> in order to have two differents transforms depending on the destination ? My props.conf : [mscs:azure:eventhub] TRANSFORMS-anonymize = user-anonymizer My transforms.conf : [user-anonymizer] REGEX = ^(.*?)"\[{\\"UserName\\":[^,]*(.*) FORMAT = $1"###"$2 DEST_KEY = _raw Thanks a lot, Gaétan
... View more