I have a setup as Universal Forwarder (UF) - Heavy Forwarder (HF) - Indexer - Search Head (SH).
Where multiple UF are sending data to single HF which in turn sends data to single Indexer.
I have below stanza on my multiple UF's inputs.conf file
[perfmon://CPU Load]
counters = % Processor Time;% User Time
object = Processor
instances = _Total
interval = 30
sourcetype = Perfmon
index = idx_XXX_Perfmon_CPU-Load
Where XXX is server name. Now, in order to have a common app across all UF to be deployed through Deployment server, I have removed the Index from the stanza and wants to assign index based on Host + SourceType combination on a HF using props.conf and transform.conf.
Example:
- If event comes from Server1 with sourcetype as Perfmon then set index = idx_Server1_Perfmon_CPU-Load
- If event comes from Server2 with sourcetype as Perfmon then set index = idx_Server2_Perfmon_CPU-Load.
Please help me to design correct stanza for this requirement.
↧