In my testing environment I have three main indexes that are specific to the data stored within them. I want to change the host value of all events by appending a string at the end of the host at index time (similar to a domain name, as an example) and I know how to do this with the props-transforms configuration, but I can only do it based on sourcetype, host, or source. Is there a way to do the same thing but based on index?
For example,
index1: host -> host.test1, something -> something.test1
index2: tmp -> tmp.test2
index3: hello -> hello.test3
I know how to do this based on the host field, for example:
Props.conf
[host::*]
TRANSFORMS-appendname = append_name
Transforms.conf
[append_name]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
FORMAT = $1.test
DEST_KEY = MetaData:Host
And in this case, every host that forwards logs to my indexer would have their events stored as
host = hostname.test
How do I do the same thing but based on the target index?
transforms.conf
[append_name]
INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
WRITE_META = true
INGEST_EVAL
can be used as eval
How about this?
transforms.conf
[append_name]
INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
WRITE_META = true
INGEST_EVAL
can be used as eval
How about this?
I was not aware of that setting. Because it works exactly like eval you can do the following then:
[append_name]
INGEST_EVAL = host=case(index="index1", host.".test1", index="index2", host.".test2", index="index3", host.".test3", true(), host)
WRITE_META = true
Take note that to concatenate the host value and a string you have to type a period before the string.
host."<string>" = host<string>
host.".<string>" = host.<string>
If you change your answer with the revised working (I tested it) eval declaration, I'll accept it.
I see, My answer is updated.