Hi All,
Unable to route the json logs based on a a keyword (regex ) "MyService_DataApp" on the event to a particular index testlogs_idx .Could you please point anything wrong with the below and these configurations are on Heavy forwarder ,SH's and Indexers.
To test the routing I've created an index=thisshouldneverhappen and added under the inputs , and set up an alert, whenever an event hits that index to know something is broken , all the events still route to the index=thisshouldneverhappen .
Props
[json_srctype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+){
NO_BINARY_CHECK=true
KV_MODE=json
MAX_TIMESTAMP_LOOKAHEAD=45
TIME_PREFIX=\W+\w{8}
TIME_FORMAT=%s%3N
TRUNCATE=50000
ANNOTATE_PUNCT=false
disabled=false
pulldown_type =true
TRANSFORMS-01_testlogs= a1-testlogs-Route
TRANSFORMS-02_testlogs =a2-testlogs-SourceType
Transforms
[a1-testlogs-Route]
DEST_KEY = _MetaData:Index
REGEX = MyService_DataApp
FORMAT = testlogs_idx
[a2-testlogs-SourceType]
DEST_KEY = MetaData:Sourcetype
REGEX = MyService_DataApp
FORMAT = sourcetype::testlogs_srctype
... View more