So basically, I have a ton of events coming in on UDP 514. Based on the document linked below, I was able
to configure my Sourcetype Overrides so not everything comes in as "Palo Alto". However, now my 3PAR Storage Array logs are coming in as:
sourcetype = 3par_array
index = network
I'd like to override my Index field based on the Regex I configured for Sourcetype Overrides, however Splunk says that "DestKey = Index" is undefined. Could someone please help me out?
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Advancedsourcetypeoverrides
↧