Hello Everyone,
I am integrating logs from trend micro portable security via HEC.
As per the user guide of trend micro they need a HEC token that should have access to 5 indexes namely(sacnnedlog,detectedlog,applicationinfo,updateinfo,assetinfo) the names should not be changed as it will not be able to send logs .
So I have created a HEC token with sourctype=trendmicro and have given access to all 5 indexes created on HF.
Now the catch is in our splunk environment we cannot have 5 indexes for one source thus we have created 5 indexes at HF (same name as above) and we are trying to route all logs for sourcetype trendmicro to an index named app_trendmicro (created on Cluster master).
i have used following props and transforms
In props:-
[trendmicro]
TRANSFORMS-routing = trendmicro_routing
In transforms:-
[trendmicro_routing]
DEST_KEY = _MetaData:Index REGEX = . FORMAT = app_trendmicro
however we are not able to receive logs and getting error in internal index as
Received event for unconfigured/disabled/deleted index