I have setup a props.conf with: [host::server*] TRANSFORMS-movetonewindex = newindex
And a transforms.conf with: [newindex] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = new
How do I not send the splunkd sourcetype to the "new" index and let it go to where it normally goes?
You could just do this:
props.conf [splunkd] TRANSFORMS-stayput = leaveitalone
[splunkd] TRANSFORMS-stayput = leaveitalone
transforms.conf [leaveitalone] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = _internal
[leaveitalone] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = _internal