Hi Kiran,
Yes it's possible to do while ingesting the data.
Configure the event-level transformations on the indexer.
If an event contains the regex pattern (? pattern), then index the event to index1.
If an event contains the regex pattern (?! pattern), then do not index.
Note pattern will be your windows process
transforms.conf
[eventsRoute]
REGEX= (? pattern)
DEST_KEY = _MetaData:Index
FORMAT = <index1>
[eventsDrop]
REGEX = (?! pattern)
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[Yoursourcetype]
TRANSFORMS-‐neglect = eventsDrop
TRANSFORMS-‐ingest = eventsRoute
Regards,
Mahesh
... View more