I am currently trying, unsuccessfully, to assign a custom sourcetype and index from within a local/transforms.conf file.
The following is a sample log entry:
Oct 20 18:00:01 cc-mailserver event="Mail Details" src_ip="x.y.251.54" src_port="57709" dst_ip="x.y.17.128" dst_port="25" message_date="Tue, 20 Oct 2015 18:11:06 -0400 (EDT)" from="Bamboo " to="Bamboo2@myserver.net" reply="" envel_from=""
The following are the entries in my transforms.conf file:
#### Index Routing
[force_index_for_mail_scrape]
REGEX = cc-mailserver
FORMAT = security
DEST_KEY = _MetaData:Index
#### Sourcetype Routing
[force_sourcetype_for_mail_scrape]
REGEX = cc-mailserver
FORMAT = sourcetype::mail_scrape
DEST_KEY = MetaData:Sourcetype
The data is currently appearing with `index=main` and `sourcetype=mail_scrape-3`. The above config is being pushed both to the search heads as well as the indexers.
Any assistance would be appreciated.
↧