Hi Guys,
I want to override sourcetype for all events before being indexed and redirect some of those events (those with ERROR) to another index with the overridden sourcetype.
So, I need events to be spread between two indexes: test1 and test2 (with ERROR events) and I need all of the events to have the same access_combined sourcetype.
I use oneshot command to ingest data from a file:
>splunk add oneshot C://opt/log.txt -index test1 -sourcetype test_sourcetype
and now my **props.conf** looks like this:
[host::myhost]
LINE_BREAKER = \d+(&)
SHOULD_LINEMERGE = false
TRANSFORMS = custom_sourcetype
TRANSFORMS = route_notfound
LINE_BREAKER is here because its a oneline log, so I need to break it into events and it works fine.
and my **transforms.conf**:
[custom_sourcetype]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::access_combined
[route_notfound]
REGEX = ERROR
DEST_KEY = _MetaData:Index
FORMAT = another_index
and if I use those transforms seperately they work fine (i switch them off by using # in props.conf) but they do not work together....
How can I do those two things in one step? before data being indexed?
↧