I have gone through the docs: routing based on meta data (source, host, sourcetype) to send specific data to a different target group, but isn't working.
I have 10 hosts that send data to an intermediate Heavy Forwarder (HF1), and that sends to another intermediate Heavy Forwarder (HF2) and finally to the indexers.
On the second intermediate forwarder, I added
Props.conf
[host::(host1|host2|.....|host10)]
TRANSFORMS_routing = missioncritical_hosts
On transforms.conf
[missioncritical_hosts]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=target_group2
On outputs.conf
[tcpout]
default-group = target_group1
[tcpout:target_group2]
server = idxr2:9997
Restarted splunkd, no errors in splunkd.log
No data from that HF related to missioncritical_servers on the original index mshosts or main. What am I missing?
Thanks in advance!
Avanthi
↧