Hi,
I have a couple of network devices which are sending logs to splunk over udp (so no forwarder installed on them).
I'm struggling to get my transforms.conf to redirect the data to a separate index.
The network devices have 2 transforms rules, the first one being a MetaData:Host being set (instead of IP) which works fine.
What am I doing wrong for the index redirection?
Maybe some issue with SOURCE_KEY? I've tried using a SOURCE_KEY = MetaData:Host in transforms.conf
transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1
[index_redirect_to_pci]
REGEX = .
DEST_KEY = MetaData:Index
FORMAT = pci
props.conf
[host::x.x.x.x]
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci
Thanks
You should have _MetaData:Index
not MetaData:Index
.
### transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1
[index_redirect_to_pci]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = pci
### props.conf
[host::x.x.x.x]
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci