On the server MyServer I have events coming into the index MyIndex from various sources. I want to tag a subset of these events and send them to OtherServer into the index OtherIndex.
So on MyServer in props.conf I have
[sourcetype_in_question]
TRANSFORMS-sendtoother = send_to_other
In transfoms.conf
[send_to_other]
REGEX = (.)
DEST_KEY = _TCP_ROUTING
FORMAT = send_to_other
In outputs.conf
[tcpout]
defaultGroup = nothing
indexAndForward = 1
disabled = 0
[tcpout:send_to_other]
server=other_server:9997
sendCookedData=false
My first issue is that if I set sendCookedData to true the receiving server gets nothing. My second issue is how to change the receiving index to OtherIndex. Should this be done on the other server?