[vmw-syslog]
Tranforms-routing=vmwarelogs,discarlogs [vmwarelogs]
REGEX=(logged out|Rejected password for user|Cannot login|logged in as|Accepted user for user|was updated on host|Password was changed for account|Destroy VM called)
DEST_KEY=_TCP_ROUTING
FORMAT=target1
[discarlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue I have not been able to test on my own, but I believe your problem lies with trying to apply both transforms with one line of props. It is possible for your events to match on both, so the the events are sent to the null queue, overriding the assignment to TCP ROUTING. I would try reversing the order as @saravanan90 suggested, but also reducing the complexity of your [vmwarelogs] regex to one kind of event, until you have the routing down, then expand it to cover the other events. The example given in Splunk documentation supports this order. Props
[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing
Transforms
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue https://docs.splunk.com/Documentation/Splunk/8.1.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Lastly, check to make sure that the data is set to go through the parsing queue whereever you are attempting to apply props.
... View more