Can I configure transforms.conf to route data to d...

a212830 · ‎05-13-2016

Hi,

I have a bunch of different hosts going to a network port for syslog and need to route to different indexes/sourcetypes based upon the hostname. Can I have one transforms that does both (for each different host regex)...

somesoni2 · ‎05-14-2016

You can override only one metadata at a time using the Transforms, so you you'd need two transforms for each host regex to override both sourcetype and index. It should work like this

props.conf
[yourhostspecification]
TRANSFORMS-sourcetype=overridesourcetype
TRANSFORMS-index=overrideindex

transforms.conf
[overrideindex]
SOURCE_KEY = MetaData:Host
REGEX = rexForYourHost
DEST_KEY=_MetaData:Index
FORMAT = newindexname

[overridesourcetype]
SOURCE_KEY = MetaData:Host
REGEX = rexForYourHost
DEST_KEY=MetaData:Sourcetype
FORMAT = sourcetype::newsourcetype

shan_santosh · ‎12-12-2016

What could be the value for REGEX if I want to set index for events coming from Server001?

Can I configure transforms.conf to route data to different sourcetypes and indexes based on host?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation