Hi there,

I'm trying to set up forwarding from Splunk to 3rd party tool and I spent a lot of time searching for the answer on my question why Splunk doesn't forward events which are collected by using Splunk OPSEC LEA Connector or Splunk DB Connect. Other events like Windows Events which are collected by SUF are forwarded fine to 3rd party.

I've reread a lot of times Splunk Docs but I didn't found any issue on my side

My schema installation looks like:

Heavy Forwarder with installed Splunk OPSEC LEA and Splunk DB Connect >
Indexers with config files shown below >
3rd party tool

I've got the following configuration files:

props.conf
`[WinEventLog:Security]
TRANSFORMS-routing = dst_2024
[WinEventLog:System]
TRANSFORMS-routing = dst_2024
[WinEventLog:Application]
TRANSFORMS-routing = dst_2024

[opsec]
TRANSFORMS-opsec = dst_2025
[opsec:vpn]
TRANSFORMS-routing = dst_2025
[opsec:smartdefense]
TRANSFORMS-routing = dst_2025`

transforms.conf
[dst_2024]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2024
[dst_2025]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2025

outputs.conf
`[tcpout]
defaultGroup = nothing
indexAndForward = 1

Windows

[tcpout:dst-sensor-2024]
disabled = false
server = XX.XX.XX.XX:2024
sendCookedData = false
dropEventsOnQueueFull = 1

Checkpoint

[tcpout:dst-sensor-2025]
disabled = false
server = XX.XX.XX.XX:2025
sendCookedData = false
dropEventsOnQueueFull = 1`

Does someone have any idea what sort of mistake was made by me or it might be a bug?
I've tried to set up CheckPoint input on Indexer and I found that Splunk started forwarded data but I still don't understand what the problem.