I'm trying to set the sourcetype on some events I get based on their contents, and then I want to send each of those differentiated sourcetypes to their own indexes. I've tried a bunch of different ways, and none of my approaches seem to work quite like the docs say they should.
So, for starters, source typeing. I feel like what I'm trying to do is simple. If the string FlightEvent occurs anywhere in the event, it should be a FlightEvent. Flight and Event are actually separate xml opening tags, but I can't seem to get less-than and greater-than symbols to display in markdown. I don't know if that has any impact in props or transforms.conf.
In props.conf
[FlightEvent] TRANSFORMS-flighteventtrans = flighteventformat
In transforms.conf
[flighteventformat]
REGEX = FlightEvent
LOOKAHEAD = 16
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype:FlightEvent
No good.
I tried setting up rule based source typing.
In props.conf
[rule::flighteventrule]
sourcetype=FlightEvent
MORE_THAN_1 = FlightEvent
No good. I also can't get sourcetypes to go to the correct indexes, or actually any index other than main, but I guess I'll try to deal with that when I get source typing figured out.