I have app data routing from one set of Relay Forwarders (DEV) into another set of Relay Forwarders (sandbox) and then on to a set of indexers. I need to route the data to a specific index if the field COMPONENT has a specific value (web or cam). All other values will continue to route the data to the existing index (dev).
I have looked at all Splunk Answers posts I could find. I do not have enough Karma points to post them here. What did I miss?
props.conf
[CAMrouting]
TRANSFORMS-routing_to_cam_index = fieldCAM_routing
[WEBrouting]
TRANSFORMS-routing_to_web_index = fieldWEB_routing
transforms.conf
[fieldWEB_routing]
REGEX = WEB
FORMAT = web
DEST_KEY = _MetaData:Index
[fieldCAM_routing]
REGEX = CAM
FORMAT = cam
DEST_KEY = _MetaData:Index
↧