Hi Team,
[host::1.(xx|xx).xx.xx(x|y)]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure
[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os, os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure
I need to route the logs from certain host to index=abc_secure (not all the logs only os and os_secure logs)
Below config worked
Props
[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure
Transforms.conf
[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure
Below config worked
Props
[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure
Transforms.conf
[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure
Hi @VijaySrrie,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcusello
Yes, this is fine, also I want the logs only from the hostname LIANS*
Will the below props and transforms work?
props.conf
[host=LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure
transforms.conf
[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure
Hi @gcusello
This isn't working
Not sure where am I going wrong
Hi @VijaySrrie,
please try this props.conf
[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure
even if I'm not sure that's possible to use the asterisk in props.conf , could you try using a sourcetype instead host?
Ciao.
Giuseppe
Hi @VijaySrrie,
if you want to redirect only logs where index contains os or os_secure you have to use a different regex:
[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure
Ciao.
Giuseppe