https://community.splunk.com/t5/Getting-Data-In/Route-index-data-based-on-source/m-p/688917#M114690 <P>Hi,</P><P>Is it possible using props.conf and transforms.conf to route some data on an index based on the source field?</P><P>Let's say index1 contains a lot of sources, in some sources it contains certain words in the path for example</P><P>(source="*dev-ksm*" OR source="*int-ksm*" OR source="*qa-ksm*" OR source="*amq-*-ksm*")</P><P>For this scenario I'd like to route events that their source contains the above matching sources to an index2</P><P>Was thinking in something like this:</P><P><STRONG>props.conf</STRONG></P><LI-CODE lang="markup">[index::current_index] TRANSFORMS-routing=filter-to-new_index</LI-CODE><P>&nbsp;</P><P><STRONG>transforms.conf</STRONG></P><LI-CODE lang="markup">[filter-to-new_index] DEST_KEY = _MetaData:Index SOURCE_KEY = MetaData:Source REGEX = (?i)(.*dev-ksm.*|.*int-ksm.*|.*qa-ksm.*|.*amq-.*-ksm.*) FORMAT = new_index</LI-CODE><P>&nbsp;</P><P>Does not seem to be currently working. Hence the question if its possible to do something like this.</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 May 2024 22:11:43 GMT rreatiga 2024-05-28T22:11:43Z https://community.splunk.com/t5/Getting-Data-In/Route-index-data-based-on-source/m-p/688917#M114690 <P>Hi,</P><P>Is it possible using props.conf and transforms.conf to route some data on an index based on the source field?</P><P>Let's say index1 contains a lot of sources, in some sources it contains certain words in the path for example</P><P>(source="*dev-ksm*" OR source="*int-ksm*" OR source="*qa-ksm*" OR source="*amq-*-ksm*")</P><P>For this scenario I'd like to route events that their source contains the above matching sources to an index2</P><P>Was thinking in something like this:</P><P><STRONG>props.conf</STRONG></P><LI-CODE lang="markup">[index::current_index] TRANSFORMS-routing=filter-to-new_index</LI-CODE><P>&nbsp;</P><P><STRONG>transforms.conf</STRONG></P><LI-CODE lang="markup">[filter-to-new_index] DEST_KEY = _MetaData:Index SOURCE_KEY = MetaData:Source REGEX = (?i)(.*dev-ksm.*|.*int-ksm.*|.*qa-ksm.*|.*amq-.*-ksm.*) FORMAT = new_index</LI-CODE><P>&nbsp;</P><P>Does not seem to be currently working. Hence the question if its possible to do something like this.</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 May 2024 22:11:43 GMT https://community.splunk.com/t5/Getting-Data-In/Route-index-data-based-on-source/m-p/688917#M114690 rreatiga 2024-05-28T22:11:43Z https://community.splunk.com/t5/Getting-Data-In/Route-index-data-based-on-source/m-p/688948#M114693 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267313">@rreatiga</a>,</P><P>in the header of the props.conf stanza, you cannot use "index::current_index" but only sourcetype or source or host fields.</P><P>for source and host, you can also use jolly char, something like this:</P><P>props.conf</P><LI-CODE lang="markup">[source::*dev-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*int-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*qa-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*amq-*-ksm*] TRANSFORMS-routing=filter-to-new_index</LI-CODE><P>transorms.conf</P><LI-CODE lang="markup">[filter-to-new_index] DEST_KEY = _MetaData:Index REGEX = . FORMAT = new_index</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 29 May 2024 05:17:16 GMT https://community.splunk.com/t5/Getting-Data-In/Route-index-data-based-on-source/m-p/688948#M114693 gcusello 2024-05-29T05:17:16Z