I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output).
Since syslog contains only 'host' and raw data, I'm missing the 'sourcetype' in the syslog.
I would like to make an index-time transform that combines the sourcetype and the host, together in the host field.
The reason for that, is because I'm sending those events to syslog-ng, and not to a Splunk indexer.
Syslog format cannot contain special fields like sourcetype.
Is there any way to use transform with two SOURCE_KEYs into one DEST_KEY?
You can combine both values like this:
| eval new_field=sourcetype."-".host
I can't use any search for this, since the events don't get into indexer at all, they go from HeavyForwarder straight to syslog output.
So I can only modify index-time fields, at index time, such as host, source, sourcetype, index.
Problem is, syslog format doesn't contain sourcetype field, it only contain host and _raw.
So I thought maybe I could insert the sourcetytpe into the host somehow.