I have set up universal forwarders on our Lync servers to send the WinEventLog:Lync Server events back to the indexers and store the event in index cmp_main
apps/forwarder_lync/local/inputs.conf
[WinEventLog:Lync Server]
index = cmp_main
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
On the indexers I'm trying to split off all events with Type=Error to a different index 'cmp_secure'
apps/indexer_lync/local/props.conf
[WinEventLog:Lync Server]
TRANSFORMS-lync_services_failures_security=lync_services_failures_security
apps/indexer_lync/local/transforms.conf
[lync_services_failures_security]
SOURCE_KEY = MetaData:_raw
REGEX = Type=Error
DEST_KEY = _MetaData:Index
FORMAT = cmp_secure
I can't see anything wrong with the code but it refuses to send it to the other index, if I change the index in the inputs.conf it switches so I know the app is getting deployed correctly.
Is it because of the space in "Lync Server" in the props.conf sourcetype? Does that need escaping? I didn't think it did as it's encapsulated in the [].
Any ideas?
Ok - answer my own question
I removed the SOURCE_KEY line from the transforms.conf.
As I understood it, MetaData:_raw should be the default anyway, but obviously it doesn't like it in this instance. Maybe the Windows Event Logs are different???
Ok - answer my own question
I removed the SOURCE_KEY line from the transforms.conf.
As I understood it, MetaData:_raw should be the default anyway, but obviously it doesn't like it in this instance. Maybe the Windows Event Logs are different???