Tried suggestions from other Q/A, but alas. Trying to route syslog data from one host to an index other than main. the host is a netapp filer and there is no option to install a forwarder, so it's just sending data on 514. single indexer/search head, target index is setup and named 'netapp'
[host::host1.fqdn] TRANSFORMS-movetonetappindex = netappindex
[netappindex] REGEX = .* DEST_KEY = _MetaData:Index FORMAT = netapp
Running 4.2.1, build 98164 on rhel5_5 2.6.18-238.12.1.el5
It's possible that your
host value is not in fact
host.fqdn. If your sourcetype is
syslog, Splunk applies a transform that modifies the host according to what's in the event data. But the selection of rules from props.conf is applied based on the *un*transformed host, so it may be the IP address, or something.
This is much easier to deal with if you receive the data using syslog or syslog-ng or rsyslog, write it to a set of files split out by hostname, and then have Splunk monitor those files, using the
host_regex to set the host name.
Also (and this isn't why it's failing), don't use
.* as your matching regex. There's no need to match up against the entire string. Simply
(?=) will work fine.