I have created a setup where from an input based on a regex some of the events are sent to a specific index with changed source type. It is working nicely with regular indexes, but I can not get it working with metrics based indexes. What could be wrong?
props.conf
[csv]
TRANSFORMS-indst = change_index,change_sourcetype
inputs.conf
[udp://514]
connection_host = ip
sourcetype = csv
transforms.conf
[change_index]
REGEX = (?i) error
DEST_KEY = _MetaData:Index
WRITE_META = true
FORMAT = metrics_index
[change_sourcetype]
REGEX = (?i) error
DEST_KEY = _MetaData:
WRITE_META = true
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::metrics_sourcetype
↧