Can anyone confirm if the below will work?
I have created a new index = test_index in SPLUNK 2 (new)
In the master-apps I have added transforms and props asking to override the data coming in and assigning to the new index.
transforms.conf
[test_index]
REGEX= Have to create appropriate regex for # optional as it is . By default, and I want all data to go to new index
FORMAT = test_index# index name to which we are sending data
DEST_KEY = MetaData:Index # specifying to store the value in FORMAT as index name
props.conf
[host:: abc.cdef.rr]
TRANSFORMS-index = test_index
I will have to add more in props.conf as I add the hosts. Please share thoughts. Much appreciated
Thanks
... View more