Hi all,
I need some leads on an issue. I am having trouble in data forwarding from splunk HF to 3rd party. My prop.conf file below:
[host::hostname]
TRANSFORMS-weblog-matrix = send_to_syslog_EFH,send_to_index.
But this is forwarding all the logs from the host. but instead I want to send one of the sourcetype from the host.
Is it possible to filter by both hostname and sourcetype? If so, please peovide some sample props.conf and transformas.conf.
Thanks
↧