hi everyone,
I have web server events.
I want to forward specific events that contain digits 404 to index1 and remaining event to index2.
below is an example event:
12.130.60.4 - - [13/Jan/2016 21:03:09:149] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD9SL6FF8ADFF9 HTTP 1.1" 404 3585 "http://www.myflowershop.com/category.screen?category_id=GIFTS" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 976
Please advise.
Try this:
In props.conf:
[mysourcetype]
TRANSFORMS-setIndex = setindex1, setindex2
In transforms.conf:
[setindex1]
DEST_KEY = _MetaData:Index
REGEX = 404
FORMAT = index1
[setindex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = index2
hi
thanks for your kind support. yesterday I achieved that. below is my working config.
inputs.conf
[monitor:///splunkfiles/lxxx/access_combined.log]
sourcetype = access_combined
index = webindex
props.conf
[access_combined]
TRANSFORMS-local = notfound
Transforms.conf
[notfound]
REGEX = "\s(404)\s
DEST_KEY = _MetaData:Index
FORMAT = notfoundindex
Initially, I used your approach. but it did not work with me.
can you please explain line 8 in transforms.conf.
lastly, we task is to move the events to corresponding indexes before getting indexed(save license). Is this method correct?