https://community.splunk.com/t5/Getting-Data-In/indexRouting-with-customFilters-to-route-based-on-log-content/m-p/565111#M100577 <P>I would like to use indexRouting to move some log lines to a given index and have other log lines go to athe HEC's default index.&nbsp; The log lines that I want to route are single-line json formatted as a HEC event.&nbsp; Below is a pretty-printed example:</P><P>&nbsp;</P><LI-CODE lang="markup">{ "event":{ "device":{ "id":"dcef6f000bc7a6baffc0f0b5f000", }, "logMessage":{ "description":"Publishing to web socket", "domain":"WebSocketChannel", "severity":"debug" }, "topic":"com.juneoven.dev.analytics" }, "index":"analytics_logs_dev", "level":"INFO", "source":"dev.analytics", "sourcetype":"analytics-logs", "time":1630091106.076237 }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Other log lines are normal text logs (non-json formatted):</P><P>&nbsp;</P><LI-CODE lang="markup">2021-08-27 19:09:14,295 INFO [tornado.access] 202 POST /1/analytics/log (10.110.4.224) 35.62ms</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I see that there is a customFilter feature.&nbsp; I am hoping that Ican&nbsp; key off of the 'index' field in the HEC event to route these json log lines to their index and allow all other lines to go to the default index for the HEC.<BR /><BR />Is that possible?&nbsp; Is there some documentation that would help me?&nbsp; Thanks.</P> Fri, 27 Aug 2021 19:19:54 GMT Ezward 2021-08-27T19:19:54Z https://community.splunk.com/t5/Getting-Data-In/indexRouting-with-customFilters-to-route-based-on-log-content/m-p/565111#M100577 <P>I would like to use indexRouting to move some log lines to a given index and have other log lines go to athe HEC's default index.&nbsp; The log lines that I want to route are single-line json formatted as a HEC event.&nbsp; Below is a pretty-printed example:</P><P>&nbsp;</P><LI-CODE lang="markup">{ "event":{ "device":{ "id":"dcef6f000bc7a6baffc0f0b5f000", }, "logMessage":{ "description":"Publishing to web socket", "domain":"WebSocketChannel", "severity":"debug" }, "topic":"com.juneoven.dev.analytics" }, "index":"analytics_logs_dev", "level":"INFO", "source":"dev.analytics", "sourcetype":"analytics-logs", "time":1630091106.076237 }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Other log lines are normal text logs (non-json formatted):</P><P>&nbsp;</P><LI-CODE lang="markup">2021-08-27 19:09:14,295 INFO [tornado.access] 202 POST /1/analytics/log (10.110.4.224) 35.62ms</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I see that there is a customFilter feature.&nbsp; I am hoping that Ican&nbsp; key off of the 'index' field in the HEC event to route these json log lines to their index and allow all other lines to go to the default index for the HEC.<BR /><BR />Is that possible?&nbsp; Is there some documentation that would help me?&nbsp; Thanks.</P> Fri, 27 Aug 2021 19:19:54 GMT https://community.splunk.com/t5/Getting-Data-In/indexRouting-with-customFilters-to-route-based-on-log-content/m-p/565111#M100577 Ezward 2021-08-27T19:19:54Z https://community.splunk.com/t5/Getting-Data-In/indexRouting-with-customFilters-to-route-based-on-log-content/m-p/565208#M100588 <P>You can use a transform to rewrite the index metadata field of an event.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf#KEYS:" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf#KEYS:</A></P><P>So in a props.conf you do</P><PRE>[mysourcetype]<BR />TRANSFORMS-redirect=redirect_to_index2</PRE><P>And in transforms.conf (assuming you want to redirect json events:</P><PRE>[redirect_to_index2]<BR />REGEX = {.*}<BR />FORMAT = index2<BR />DEST_KEY = _MetaData:Index</PRE><P>&nbsp;</P><P>EDIT: I'm not sure if {} don't need to be escaped in regex.</P> Mon, 30 Aug 2021 09:18:37 GMT https://community.splunk.com/t5/Getting-Data-In/indexRouting-with-customFilters-to-route-based-on-log-content/m-p/565208#M100588 PickleRick 2021-08-30T09:18:37Z