I’m trying to split my Windows events so that: All events get forwarded to a syslog server. Only certain Event IDs (ex: 5156) get indexed in Splunk. Here’s what I’ve done so far: props.conf   [source::XmlWinEventLog...] TRANSFORMS-win = send_to_syslog transforms.conf   [send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group outputs.conf         [syslog:my_syslog_group] server = loghost.example.com:514 That part works — all events are being forwarded to syslog. But when I try to add a second transform to only index a few events, Splunk still indexes everything: props.conf   [source::XmlWinEventLog...] TRANSFORMS-win = send_to_syslog, filter_to_splunk transforms.conf   [filter_to_splunk] REGEX = (5156) DEST_KEY = _TCP_ROUTING FORMAT = my_splunk_group   I also tried nullQueue first, then forwarding, but either: Everything gets filtered out from both syslog and Splunk, or Everything still goes to both syslog and Splunk. In short: 👉 I want all events → syslog 👉 Only some events → Splunk But I can’t get the routing to separate correctly.     ... View more

I have a cron job that creates a lookup file under $splunkhome$/etc/apps/search/lookups on one of the search heads. How do I get that file to be replicated to the other search heads?  I've created a lookup definition for it and it works great the first time, but after the file's been updated. The new results are only available on the local sheard head.  ... View more