Thanks for all the help here. There are obviously several ways to solve this problem . I wanted to separate log into separate indexes based on which host generated the event.
Since it was indicated to me that the host:: tag was already put in there by the LWF , i used some time to try to make that work. to no avail. ( i really miss some "sniffing" tools to see what are actually see what king of data and tags are communicated between Indexer, FW and LWF )
Since the source tag are available from the LWF My solution became this.:
props.conf:
[source::/var/log/syslog]
TRANSFORMS-routing = route_to_a,route_to_b,route_to_c
transforms.conf:
[route_to_a]
DEST_KEY = _MetaData:Index
REGEX = ^\S+\s+\d+\s+\S+\s+192\.168\.111\.19
FORMAT = index_a
[route_to_b]
DEST_KEY = _MetaData:Index
REGEX = ^\S+\s+\d+\s+\S+\s+192\.168\.111\.86
FORMAT = index_b
[route_to_c]
DEST_KEY = _MetaData:Index
REGEX = ^\S+\s+\d+\s+\S+\s+192\.168\.111\.85
FORMAT = index_c
`
... View more