In my testing environment I have three main indexes that are specific to the data stored within them. I want to change the host value of all events by appending a string at the end of the host at index time (similar to a domain name, as an example) and I know how to do this with the props-transforms configuration, but I can only do it based on sourcetype, host, or source. Is there a way to do the same thing but based on index?
For example,
index1: host -> host.test1, something -> something.test1
index2: tmp -> tmp.test2
index3: hello -> hello.test3
I know how to do this based on the host field, for example:
Props.conf
[host::*]
TRANSFORMS-appendname = append_name
Transforms.conf
[append_name]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
FORMAT = $1.test
DEST_KEY = MetaData:Host
And in this case, every host that forwards logs to my indexer would have their events stored as
host = hostname.test
How do I do the same thing but based on the target index?
↧