index route

https://answers.splunk.com/answers/50761/how-do-i-route-data-to-specific-index-based-on-a-field.html

 2012/06/07 10:45:50 service=srvc1 server=node3 score=50 seq=55041

 2012/06/07 10:45:50 service=srvc3 server=node1 score=17 seq=55042
 2012/06/07 10:45:50 service=srvc2 server=node1 score=67 seq=55043
 2012/06/07 10:45:50 service=srvc2 server=node4 score=43 seq=55044
 2012/06/07 10:45:50 service=srvc3 server=node2 score=11 seq=55045
 2012/06/07 10:45:50 service=srvc3 server=node2 score=60 seq=55046
 2012/06/07 10:45:50 service=srvc1 server=node0 score=28 seq=55047
 2012/06/07 10:45:50 service=srvc1 server=node0 score=4 seq=55048

Hi jeff,

I could get it work with the following config.

• props.conf

  [sample1]
  TRANSFORMS-index_routing = route_data_to_index_by_field_service

• transforms.conf

  [route_data_to_index_by_field_service]
  REGEX = .service=(.?)[ ]
  DEST_KEY = _MetaData:Index
  FORMAT = $1

• Result

  $ ./splunk search 'index=* sourcetype=sample1 | head limit=10 | table index, service, server'
  index service server
  ----- ------- ------
  srvc2 srvc2 node1
  srvc2 srvc2 node0
  srvc3 srvc3 node1
  srvc2 srvc2 node4
  srvc3 srvc3 node0
  srvc2 srvc2 node4
  srvc2 srvc2 node0
  srvc1 srvc1 node4
  srvc2 srvc2 node1
  srvc1 srvc1 node0

• now I can move forward to configure RBAC thing... thanks!