Our heavy forwarder is forwarding logs to the Indexer. All the logs are going to the main Index. In the indexer level, is it possible to change Props.conf and /transforms.conf to send the logs to a different(alternate) index based on the Host? I put the below changes in the indexer conf files which is not working. Same config changes works from heavy forwarder, but I am having a different issue when I put it in the Heavy forwarder. From Heavy forwarder its duplicating the messages into both main and Newindex. So I am trying to put directly into indexer, which is not working :(
**in props.conf**
[host::(IPaddress]
TRANSFORMS = rewrite-DPindex
**in transforms.conf**
[rewrite-DPindex]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = NewIndex
↧