All,
I am looking to route data to an index based on contents of the _raw.
Basically I have app that runs every so often and logs to /var/log/message on a Linux system. If i see "arpwatch" in the text I want the event to end up in index=arpwatch.
Assuming I don't want to mess with the logging facilities at this time to create another log file. Is this something Splunk can do?
Here is what I have so far on my all in one box. It sorta works, but I am getting the hostname AND index overwritten to be arpwatch rather than just the index.
props.conf
[syslog]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-indexrouting = arpwatch
transforms.conf
[arpwatch]
REGEX = (?i) .app=arpwatch.
DEST_KEY = _MetaData:Index
FORMAT = arpwatch
