Hello,
we followed the description given in the following .conf session to achieve Index Routing based on _meta Values:
.conf 2013 - Splunk in a Global Banking Environment (I am not allowed to poast any links)
But for some reason the following REGEX is not working in Splunk 6.4:
**transforms.conf:**
[index_test1]
SOURCE_KEY = _meta
DEST_KEY = _MetaData:Index
REGEX = (?i)(stage::(PROD) logtype::(TEST))
FORMAT = index_test1
When we just use `REGEX = (stage::(PROD))` or `REGEX = (logtype::(TEST))` then everything is fine, but the problem occurs when we want to match on both fields.
Thanks,
/Rainer
↧