Hi all,
I have a slightly different configuration: I try to capture nagios events from syslog events (sent by a forwarder), but I don't have anything in my index or sourcetype "nagios".
The host is determined correctly into syslog, so I should be able to filter on it.
In my props.conf:
[host:: ]
TRANSFORMS-set_nagios_index = set_nagios_index
TRANSFORMS-set_nagios_sourcetype = set_nagios_sourcetype
In my transforms.conf:
[set_nagios_index]
REGEX = \snagios(\d+|):\s
DEST_KEY = _MetaData:Index
FORMAT = nagios
[set_nagios_sourcetype]
REGEX = \snagios(\d+|):\s
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::nagios
Any thoughts ?
Thanks you in advance,
Arthur
... View more