The `inputs.conf` documentation describes a `requireHeader` setting for TCP inputs:> requireHeader = bool> Require a header be present at the beginning of every stream.> This header may be used to override indexing settings.> Defaults to false.
Where can I find more information, preferably with examples, on specifying a header for a TCP input, and using it to override indexing settings?
In particular:
* Which indexing settings can I override, and how? For example, can I use `requireHeader = true` with some other setting(s) to override which index events (in subsequent lines in the stream) get stored in?
* I'm already using a stanza in `transforms.conf` to override `sourcetype` per event. I haven't tried, but I think (based on the documentation I have read) that I can use the same technique to override the index per event, using `DEST_KEY = _MetaData:Index`. Typically, though, for my purposes, I'm more likely to want to override the index for an entire stream rather than per event, which is why a header-based override appeals to me. Will such per-event overrides take precedence over index settings overridden via whatever method(s) `requireHeader = true` involves?
↧