We want to change sourcetype and then send data to two different Splunk Indexers.
What is happening is the sourcetype is getting changed (that means first transform is working) BUT the seconds pros.conf stanza present in the apps folder is not working (It is only send the logs to default output group).
**Transform 1:** SPLUNK_HOME/etc/system/local/
props.conf
[source::/abc/xyz.log]
TRANSFORMS-changesourcetype = st
transforms.conf
[st]
REGEX = \.*\[12345]\.*
FORMAT = sourcetype::my_sourcetype
DEST_KEY = MetaData:Sourcetype
**Transform 2:** SPLUNK_HOME/etc/apps/application/local/
props.conf
[my_sourcetype]
TRANSFORMS-routing = route_data
transforms.conf
[route_data]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = indexer1, indexer2
↧
