I have multiple host in my network using UDP:514 syslog to main index in splunk but now i want to create separate "production" index for critical server. so how should i divert syslog traffic to new index ? I read on google people talking about props.conf but how it will work ?
asked 04 Mar '11, 18:20
I've got something similar working where I'm sending specific type syslog msg to a separate index. In my case I'm specifying [syslog] in my props.conf and then doing a regex match for the msg I want in the transforms.conf.
If you're only sending syslog msgs from the host you want, you can probably filter on the host itself to send all msgs to the separate index. Something like the below (I haven't tested this btw)