Hello,
We have a source ABC sending us logs and are being stored inside an index called all_logs. From that source, we want to separate the events, which contains the field SiteUrl: https://www.abc.com/site/PathologyPHI and send these logs to a new index called new_logs, while the rest of the logs should still go to the Index all_logs.
This is what I've tried so far, but all the logs still land up in the Index all_logs, instead of being routed.. FYI, props and transforms are kept under $SPLUNK_HOME/etc/system/local, while the inputs.conf is under the TA, which brings the logs's local directory. Had to do this because in props, there is a setting defined for another sourcetype as well. Any suggestions regarding moving them back to TA as well will be appreciated.
In props.conf, I made the following change:
[abc:management:activity]
TRANSFORMS-routing = abc_logs
In Transforms.conf, I did this:
[abc_logs]
REGEX = SiteUrl:.+PathologyPHI
DEST_KEY = _MetaData:Index
FORMAT = new_logs
Here is the inputs.conf for the source. There are other inputs too, but this inputs comes with the events, which we want to route. We do not want to route all the events coming off this input, only the ones matching the regex:
[splunk_ta_abc_management_activity://Auditabc]
content_type = Audit.abc
index = all_logs
sourcetype = abc:management:activity
interval = 120
tenant_name = ABC
disabled = 0
start_by_shell = false
Any help will be highly appreciated.
Thank you
↧