Ok, so I'm not sure what I'm doing wrong here. I need to send data coming in on the standard syslog UDP 514 stream based on hostname (Most of it going to main, the rest going to a custom index).
i created a new props.conf in etc/system/local with just:
[host::10.10.10.*]
TRANSFORM-test = route_to_test
And a new transforms.conf with just:
[route_to_test]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = test
My intention was to route anything coming in from 10.10.10.* to an index named test, however everything is still going to main.
What am I missing?
Hey Guys,
I have same question I have 4 hosts 2 development and 2 production. I have created two index dev & prod.
I am using syslog TCP 514 port so how should i transfer production logs on prod and dev logs on dev index ?
I tried every combination but no luck... please help to find solution.
Really though, it seems to me his original solution should work as long as the incoming host name is in fact 10.10.10.*. I guess I would set the sourcetype to something not syslog (something that doesn't set the host) so you can see what's in the incoming data to be sure.
Oh, wait. Can you try:
TRANSFORMS-test = route_to_test
instead of:
TRANSFORM-test = route_to_test
And also as southeringtonp suggests, do not use the regex .*
, use just .?
or (?=)
instead.
This is how you need to configure the transform:
[route_to_test]
SOURCE_KEY=MetaData:Host
DEST_KEY=_MetaData:Index
REGEX=^host::(10\.10\.10\.\d+)$
FORMAT=test
WRITE_META=true
and you could use the sourcetype or source in the props:
[syslog]
TRANSFORMS-test = route_to_test
or
[source::udp:514]
TRANSFORMS-test = route_to_test
Are you sure? I experienced it in the past that it did not work without the WRITE_META...
No, you don't need WRITE_META = true
if writing to the _MetaData:Index
DEST_KEY
.
You could probably use your approach with the WRITE_META=true stuff as well. Didn't try that one exactly myself.
Like this: REGEX=^host::(10.10.10.\d+|192.168.0.\d+)$
So how would you do multiple subnets (or hosts) to multiple indexes then coming in on a syslog stream?
Does the REGEX
statement require a capture group here? I can't remember...
What happens if you change it to:
REGEX = (.)