Hello,
I have an input that come from one proxy equipment that logs several clients. It is just on big log with all access in it.
I configured a LOOKUP table that maps the Subnetwork of a client to its name, based on it's IP address logged, and it works:
[clients]
default_match = UnknownClient
filename = clients.csv
match_type = CIDR(subnetwork)
max_matches = 1
min_matches = 1
Since my index is getting really huge, I want to split it into smaller indexes. It will make everything easy and faster. So I configured a TRANSFORM clause on transforms.conf and props.conf so that based on a REGEX, it will send to different indexes:
[client1]
REGEX = -SOME_STRING_IDENTIFIER-
DEST_KEY = _MetaData:Index
FORMAT = access_client1
[my_logs]
TRANSFORMS-clients=access_client1,
And it works too. The events comming from client1 goes to index access_client1, client2 goes to access_client2 and so on...
The problem is that this REGEX does not recognize all events comming from a client. The best would be if I could lookup the LOOKUP-clients-table and decide based on their IP address (dvc_ip field), exactly as splunk does when searching. Is it possible ?
Thanks
It would be nice, but you can't parse at index time based on a lookup. Lookups are search time only.