I'm trying to follow guides on how to create a new indexed field. Basically creating a field that gives us the name of the hf the data came from: "Splunk_HF"
Im having a hard time understanding how to actually grab the heavy forwarders name. If this was a raw log i would attempt to do regex on the host based on where that name in we can within the log but here in drawing a blank. It's like I'm pulling the info from the air and I simply don't know the right syntax to make this happen
I'm sure plenty have done it his before and it should be similar for each of us. Can someone please stir me in the right direction with my configurations
This is my idea so far, can someone please correct my mistakes
Transforms.conf [getting_splunk_forwarder] DEST_KEY = MetaData:Host REGEX = I have no idea Format = host::$1