Hi.
I have a requirement to route events to index based on the fields host, sourcetype, and index.
Field host format is dev-customerA, dev-customerB, etc
Field sourcetype is typeA, typeB, etc
The following routing rules are required:
- If event index is NOT 'main' then don't do any routing (i.e. let the event go to the index set in the event).
- Set index to customer part from host field (e.g. customerA, customerB, etc)
- For sourcetype = typeA and typeB, append '-keep' to the index (e.g. the index becomes customerA-keep, customerB-keep, etc)
Examples:
Event1 index=firewall host=dev-customerA sourcetype=ASA. Should not be routed as index does not equal 'main'
Event2 index=main host=dev-customerA sourcetype=ASA. Should be routed to index=customerA
Event3 index=main host=dev-customerA sourcetype=typeA. Should be routed to index=customerA-keep
Event4 index=main host=dev-customerA sourcetype=typeB. Should be routed to index=customerA-keep
Event5 index=main host=dev-customerB sourcetype=ASA. Should be routed to index=customerB
Event6 index=main host=dev-customerB sourcetype=typeA. Should be routed to index=customerB-keep
Event7 index=main host=dev-customerB sourcetype=typeB. Should be routed to index=customerB-keep
Any idea how this can be achieved with props.conf and transforms.conf (or by other means)?
... View more