Getting Data In

Can I configure transforms.conf to route data to different sourcetypes and indexes based on host?

a212830
Champion

Hi,

I have a bunch of different hosts going to a network port for syslog and need to route to different indexes/sourcetypes based upon the hostname. Can I have one transforms that does both (for each different host regex)...

0 Karma

somesoni2
Revered Legend

You can override only one metadata at a time using the Transforms, so you you'd need two transforms for each host regex to override both sourcetype and index. It should work like this

props.conf
[yourhostspecification]
TRANSFORMS-sourcetype=overridesourcetype
TRANSFORMS-index=overrideindex

transforms.conf
[overrideindex]
SOURCE_KEY = MetaData:Host
REGEX = rexForYourHost
DEST_KEY=_MetaData:Index
FORMAT = newindexname

[overridesourcetype]
SOURCE_KEY = MetaData:Host
REGEX = rexForYourHost
DEST_KEY=MetaData:Sourcetype
FORMAT = sourcetype::newsourcetype
0 Karma

shan_santosh
Explorer

What could be the value for REGEX if I want to set index for events coming from Server001?

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...