All,
Is there a way to route traffic based on host AND sourcetype?
if sourcetype="abc" AND host="zxc" then index=compliance
if sourcetype="abc" and NOT host=zbx then index=web
You can use a combination: in props.conf you setup a transform based on the source type, and then have a regex on the host in transform, so the transform is only applied for some hosts. Of course you could as well do it the other way around by having a prosp.conf entry for the hosts and the regex on the sourcetype in transforms.conf
props.conf
[abc]
TRANSFORMS-abc_conditional_routing = TRANSFORMS-abc_conditional_routing
transforms.conf
[TRANSFORMS-abc_conditional_routing]
SOURCE_KEY = MetaData:Host
REGEX = zxc
DEST_KEY = _MetaData:Index
FORMAT = web