My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor and send to the indexers. Based on a field in the data, I route the events to different indexes. These are the current props.conf and transforms.conf which are working.
props.conf:
[json_input]
MAX_TIMESTAMP_LOOKAHEAD=30
...
TRANSFORMS-override-ldc=override-ldc
TRANSFORMS-override-jrc=override-jrc
transforms.conf:
[override-ldc]
SOURCE_KEY=_raw
DEST_KEY=_MetaData:Index
REGEX=fieldname\"\s*:\s*\"LDC.*
FORMAT=foo_ldc
[override-jrc]
SOURCE_KEY=_raw
DEST_KEY=_MetaData:Index
REGEX=fieldname\"\s*:\s*\"JRC.*
FORMAT=foo_jrc
I also need to override the value for the source field based on the exact same REGEX. Can I use the same transforms stanza to update 2 metadata fields, or do I need to have a second transform which uses the same REGEX but overrides source rather than index?
↧