https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619565#M106824 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />Yes, this is fine, also I want the logs only from the hostname LIANS*<BR /><BR />Will the below props and transforms work?</P><P>props.conf</P><P>[host=LIANS*]<BR />TRANSFORMS-change_index_abc_secure = change_index_abc_secure</P><P>transforms.conf</P><P>[change_index_abc_secure]<BR />SOURCE_KEY = MetaData:Index<BR />REGEX = os|os_secure<BR />DEST_KEY = MetaData:Index<BR />FORMAT = index::abc_secure</P><P>&nbsp;</P> Thu, 03 Nov 2022 23:44:56 GMT VijaySrrie 2022-11-03T23:44:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619215#M106779 <P>Hi Team,</P> <P>[host::1.(xx|xx).xx.xx(x|y)]<BR />TRANSFORMS-change_index_abc_secure = change_index_abc_secure</P> <P>&nbsp;</P> <P>[change_index_abc_secure]<BR />SOURCE_KEY = MetaData:Index<BR />REGEX = os, os_secure<BR />DEST_KEY = MetaData:Index<BR />FORMAT = index::abc_secure</P> <P>&nbsp;</P> <P>I need to route the logs from certain host to index=abc_secure (not all the logs only os and os_secure logs)</P> Wed, 02 Nov 2022 02:41:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619215#M106779 VijaySrrie 2022-11-02T02:41:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619239#M106782 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>,</P><P>if you want to redirect only logs where index contains os or os_secure you have to use a different regex:</P><LI-CODE lang="markup">[change_index_abc_secure] SOURCE_KEY = MetaData:Index REGEX = os|os_secure DEST_KEY = MetaData:Index FORMAT = index::abc_secure</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 02 Nov 2022 07:48:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619239#M106782 gcusello 2022-11-02T07:48:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619565#M106824 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />Yes, this is fine, also I want the logs only from the hostname LIANS*<BR /><BR />Will the below props and transforms work?</P><P>props.conf</P><P>[host=LIANS*]<BR />TRANSFORMS-change_index_abc_secure = change_index_abc_secure</P><P>transforms.conf</P><P>[change_index_abc_secure]<BR />SOURCE_KEY = MetaData:Index<BR />REGEX = os|os_secure<BR />DEST_KEY = MetaData:Index<BR />FORMAT = index::abc_secure</P><P>&nbsp;</P> Thu, 03 Nov 2022 23:44:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619565#M106824 VijaySrrie 2022-11-03T23:44:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619597#M106827 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>,</P><P>yes it's correct, test it and tell me the result.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 04 Nov 2022 07:27:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619597#M106827 gcusello 2022-11-04T07:27:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619800#M106846 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>This isn't working<BR />Not sure where am I going wrong</P> Mon, 07 Nov 2022 07:02:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619800#M106846 VijaySrrie 2022-11-07T07:02:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619801#M106847 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>,</P><P>please try this props.conf</P><LI-CODE lang="markup">[host::LIANS*] TRANSFORMS-change_index_abc_secure = change_index_abc_secure</LI-CODE><P>even if&nbsp;I'm not sure that's possible to use the asterisk in props.conf , could you try using a sourcetype instead host?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 07 Nov 2022 07:14:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/619801#M106847 gcusello 2022-11-07T07:14:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/622037#M107096 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Below config worked<BR /><BR /><BR /></P><P>Props<BR /><BR /></P><P>[host::LIANS*]<BR />TRANSFORMS-change_index_abc_secure = change_index_abc_secure</P><P>Transforms.conf<BR /><BR />[change_index_abc_secure]<BR />SOURCE_KEY = _MetaData:Index<BR />REGEX = os|os_secure<BR />DEST_KEY = _MetaData:Index<BR />FORMAT = abc_secure</P> Fri, 25 Nov 2022 02:04:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/622037#M107096 VijaySrrie 2022-11-25T02:04:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/622062#M107100 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164779">@VijaySrrie</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 25 Nov 2022 08:18:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-route-the-logs-from-certain-host-to-index-abc-secure/m-p/622062#M107100 gcusello 2022-11-25T08:18:04Z