I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype.
So, I need events to be spread between two indexes: test1 and test2 (with ERROR events) and I need all of the events to have the same access_combined sourcetype.
I use oneshot command to ingest data from a file:
>splunk add oneshot C://opt/log.txt -index test1 -sourcetype test_sourcetype
and now my props.conf looks like this:
[host::myhost] LINE_BREAKER = \d+(&) SHOULD_LINEMERGE = false TRANSFORMS = custom_sourcetype TRANSFORMS = route_notfound
LINE_BREAKER is here because its a oneline log, so I need to break it into events and it works fine.
and my transforms.conf:
[custom_sourcetype] SOURCE_KEY = _raw REGEX = .* DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::access_combined [route_notfound] REGEX = ERROR DEST_KEY = _MetaData:Index FORMAT = another_index
and if I use those transforms seperately they work fine (i switch them off by using # in props.conf) but they do not work together....
How can I do those two things in one step? before data being indexed?
In your props.conf,
TRANSFORMS must have a unique name.
Please try this,
[host::myhost] LINE_BREAKER = \d+(&) SHOULD_LINEMERGE = false TRANSFORMS-override = custom_sourcetype TRANSFORMS-route = route_notfound
[host::myhost] LINE_BREAKER = \d+(&) SHOULD_LINEMERGE = false TRANSFORMS-mywork = custom_sourcetype, route_notfound