Hi, want to split out certain eventid to 2 different indexers from a universal forwarder 6.1
could this work?
tried to create on 2 separated apps but it only took on the first one.
[WinEventLog://Security]
disabled=0
whitelist= Category="^Error"
index = Awindows
[WinEventLog://Security]
disabled=0
whitelist= Category="^Info"
index = Bwindows
want to see if i can control on the client side, and not on the indexer
That approach doesn't work because you're essentially overwriting the same value from the second stanza - it has the same name so it's the same stanza.
You can rewrite the index value in transforms.conf:
[send_to_A_index]
REGEX = Category="Error"
DEST_KEY = _MetaData:Index
FORMAT = Awindows
[send_to_B_index]
REGEX = Category="Info"
DEST_KEY = _MetaData:Index
FORMAT = Bwindows
Then refer to those stanzas in props.conf:
[sourcetype, source, or host identifier]
TRANSFORMS-index = send_to_A_index,send_to_B_index
Usually these are on the indexer(s), and in most cases it's best to keep it that way. However, it's possible to use a heavy forwarder on the source host to have the HF do the parsing, filtering, etc.