I have a situation where I'd like to duplicate some or all events going to one index into another.
The only point at which I can touch the data is as it hits the indexers. I can't use another heavy forwarder to do the duplication in flight.
In reading the docs, I've come up with this, but I think I'm missing something fundamental.
At a basic level below is sort of what I want:
props.conf
[mydupesourcetype]
TRANSFORMS-duplicate = original_index, duplicate_index
transforms.conf
[original_index]
FORMAT = indexa
REGEX = (.)
DEST_KEY = _MetaData:Index
[duplicate_index]
REGEX = mydupesourcetype
FORMAT = indexb
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = _MetaData:Index
http://docs.splunk.com/Documentation/Splunk/6.4.0/Forwarding/Routeandfilterdatad
This would mean the props and transforms above would never work as it would just rename the index in the duplicate_index stanza.
↧