Hi.
I'm trying to find a quick and simple way to separate my incoming cisco syslogs into different indexes. For complicated, and dull reasons we can only really use the udp:514 listener.
The best I've come up with so far is defining a number of different transforms in the props.conf, then use regex to define which index they go to. unfortunately my splunk and regex skills are currently rather weak and it's refusing to work.
So far I've got to here: ~~ props.conf ~~
[syslog]
TRANSFORMS-routing = generic-routing, MPLS-routing, Office-routing
~~ transforms.conf ~~
[MPLS-routing]
SOURCE_KEY = MetaData:Host
REGEX = 10\.10\.\d+
DEST_KEY = _MetaData:Index
FORMAT = MPLS
[Office-routing]
SOURCE_KEY = MetaData:Host
REGEX = 10\.100\.\d+
DEST_KEY = _MetaData:Index
FORMAT = office
[generic-routing]
DEST_KEY = _MetaData:Index
FORMAT = syslog
Any tips or thoughts?