Hi,
I'm trying to use Heavy Forwarders (HF) to route and filter data to another Splunk setup outside of mine. My goal is to send only sourcetype=log4net matching a REGEX (let's say ClientName). I managed to do this but the client requested that I change also the index to where I sent which totally messed up my solution.
Trying to make it short: index=main sourcetype=log4net with ClientName should be routed to the client, index=main sourcetype=iis whatever should not. Any help is deeply appreciated!
###props.conf
[default]
TRANSFORMS-def=clearlog
[log4net]
TRANSFORMS-routing=clearlog,client
###transforms.conf
[clearlog]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[germany]
REGEX=ClientName
DEST_KEY=_MetaData:Index
FORMAT=Clientwtv
... View more