Hello, I have been trying to get a Splunk config to work for a while, and have come here for help! I'm out of ideas. I have Network Syslog from many different sources all being sent to a Heavy Forwarder. My hope is to get the syslog matched against two different regex's and have the matched data sent to two different locations. My Configs: props [host::*] TRANSFORMS-SYSLOG = send_to_serverA, send_to_serverB transforms [send_to_serverA] regex = "regex goes here" DEST_KEY = _SYSLOG_ROUTING FORMAT = serverA [send_to_serverB] regex = "regex goes here" DEST_KEY = _SYSLOG_ROUTING FORMAT = serverB outputs [syslog:serverA_group] server = x.x.x.1:514,x.x.x.2:514 [syslog:serverB_group] server = x.x.1.1:514,x.x.1.2:514 This is currently not working and it seems to have something to do with the DEST_KEY = _SYSLOG_ROUTING. I get some very strange results. Can any one point out where I have gone wrong? If this can be done? Regards, Ryan
... View more