Getting Data In

Redirection to different index using transforms.conf

Engager

Hi,

I have a couple of network devices which are sending logs to splunk over udp (so no forwarder installed on them).

I'm struggling to get my transforms.conf to redirect the data to a separate index.
The network devices have 2 transforms rules, the first one being a MetaData:Host being set (instead of IP) which works fine.
What am I doing wrong for the index redirection?
Maybe some issue with SOURCE_KEY? I've tried using a SOURCE_KEY = MetaData:Host in transforms.conf

transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1

[index_redirect_to_pci]
REGEX = .
DEST_KEY = MetaData:Index
FORMAT = pci

props.conf
[host::x.x.x.x]
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci

Thanks

0 Karma

Splunk Employee
Splunk Employee

You should have _MetaData:Index not MetaData:Index.

### transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1

[index_redirect_to_pci]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = pci

### props.conf
[host::x.x.x.x] 
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci