I've lot of udp log and only a small portion of them contain error and need to investigate. I don't want to index all of them. Are there any way to just index those record with text ERROR.
You can use below tramsforms.conf to index the event that you need.
@inputs.conf
[udp://514]
connection_host = ip
sourcetype = syslog
@props.conf
[source::udp:514]
TRANSFORMS-routing = setNull, error_to_index
@transforms.conf
[setNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[error_to_index]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue