I have log data from multiple sources coming into a single TCP port in JSON format as below:<01>- hostname {"name":"DefaultProfile","version":"1.0","isonjkpFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"Event","category":"RT_FLOW_SESSION_CREATE_LS" [helps@2222.2.2.2.2.22 localis-compute-zxcv=\"ABC1\" application=\"UNKNOWN\" MKUNJI-application=\"UNKNOWN\" mnbhyujgt=\"UNKNOWN\"]","bgasbnJuh":"1","mnbIPOUN":"other","absIPPOL":"other","qweTgvfrt":"minj-bag6-7856ab-Hnqasui","abcPecpokk":"och-00-145-987.Net_11_4_5_6","mnbJhbpoiu":"other","source":"My application1","nhjRkyhcfBhytf":"MKI-PLO-ASW","thuHyrtfcQhbnjuytfv":"192.168.1.11"}
from this input, I want to forward the data to separated indexes based on the values for source field. i.e if source: application1, then send to index1, and so on.
Does the Splunk forwarder have this capability to extract a field and segregate the events to separate indexes on indexer?
↧