I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output).
Since syslog contains only 'host' and raw data, I'm missing the 'sourcetype' in the syslog.
I would like to make an index-time transform that combines the sourcetype and the host, together in the host field.
The reason for that, is because I'm sending those events to syslog-ng, and not to a Splunk indexer.
Syslog format cannot contain special fields like sourcetype.
Is there any way to use transform with two SOURCE_KEYs into one DEST_KEY?
↧