Here is my current props.conf stanza for UDP:514 syslog traffic. I am sending this traffic to multple indexes using transforms.conf
props.conf:
[syslog]
TRANSFORMS-index = Stan1, Stan2, Stan3
transforms.conf
[Stan1] SOURCE_KEY = MetaData:Host REGEX = (host1|host2|host3)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index1 [Stan2] SOURCE_KEY = MetaData:Host REGEX = (host4|host5|host6)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index2 [Stan3] SOURCE_KEY = MetaData:Host REGEX = (host7|host8|host9)\.domain\.here\.com DEST_KEY = _MetaData:Index FORMAT = index3
This seems to work just fine. However, I am now trying to add a 4th reference to a stanza in props.conf under syslog. When I do this, and add the appropriate stanza in transforms.conf, all of the syslog ends up in one index, and it doesn't seem to be consistent when I restart the Heavy Forwarder.
Is there a limit to how many stanzas I can reference in transforms.conf from one stanza in props.conf [syslog]?
Thanks!
Hi All,
Facing few challlenges, mine is playing around with the same transforms.
I'm trying to achieve the same source data to forward to two different logical indexes and two different indexes groups.
Below is my senrio.
In props.conf used
[source::Dual_Data_Testing]
TRANSFORMS-source = Stan1, Stan2
In transforms.conf
[Stan1]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index1
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup1
[Stan2]
SOURCE_KEY = MetaData:Source
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = Index2
DEST_KEY = _TCP_ROUTING
FORMAT = IndexerGroup2
Currently the above conf is not working.
Please any suggestion can we workaround for this ?
Thanks,
Arun Sunny
The 4th one is just basically a continuation:
[Stan4]
SOURCE_KEY = MetaData:Host
REGEX = (host10|host11|host12).domain.here.com
DEST_KEY = _MetaData:Index
FORMAT = index4
What is the fourth stanza? It must be grabbing them all some how.
No, there is no limit. Well, I suppose there is a limit for everything, but in this case it's certainly not 4.
Is the way I'm trying to do it a common approach?