I've been attempting to route Syslog messages, coming from certain hosts, to a separate index with no success. Below is an example of my config:
Splunketcsystemlocal\
Props.conf [syslog] TRANSFORMS-index = test
Transforms.conf [test] REGEX = * FORMAT = myindex DEST_KEY = _MetaData:Index