We have data that comes into UDP port 514 on a heavy forwarder that we than send to our indexers. The data looks like the below:
Aug 26 12:23:19 10.142.102.50 Aug 26 12:23:18 pl-wlmuatdp4 [in01_sr][latency][info] wsgw(AutoPolicyManager): trans(76922997)[10.142.99.6]: Latency: 0 47 0 15 47 10 0 194 241 195 241 241 236 226 15 47 host=10.142.102.50 Options| sourcetype=Datapower Options| source=udp:514 Options| Test001=pl-wlmuatdp4 Options
We want to filter the data based on the field "in01_sr" the field has 4 possible values. Does anyone know how we can filter based on this value? Would it be done on the indexers or on the heavy forwarder? We would like to set it up so that we route to a separate index based on that value.
