Hi my scenario is: I monitor a file called apps.txt on forwarder side & index it to index=app on Indexer side. I filter out all logs for those that contain App/app & DROP others via nullQueue.

A newer requirement has come up that, I need to now have another index 'alarms' that contain all logs with term alarms from my SAME monitored file i.e apps.txt .(I will send these both logs to same forward server but in different indexes app & alarms). I could just set a regex for alarms send it to different receive group from my props.conf, but how will it then get indexed to 'alarms' index.

Since i have already set a transform for it as retain logs containing term app, index them to app & drop other; how will I further route 'alarms' logs to different index=alarms. Setting a different monitor & different regex will lead to ambiguity??

Here is my current conf:

==============inputs.conf

[monitor://D:\LOGS\apps.txt ]

sourcetype= s_app

index = app

.

.

.

==============props.conf

[s_app]

TRANSFORMS-routing2 = Appredirect

TRANSFORMS-movetonull = notApp

.

.

.

==============transforms.conf

[Appredirect]

REGEX=.*([Aa][Pp][Pp])

DEST_KEY=_TCP_ROUTING

FORMAT=APP

[notApp]

REGEX=^((?![Aa][Pp][Pp]).)*$

DEST_KEY=queue

FORMAT=nullQueue

.

.

.

==============outputs.conf

[tcpout:APP]

server = 172.23.2.2:8100