Event filtering to different sinks

[bmallya]

Hello,
I have two instances of vector running (one forwarding events(say A) to the second instance (say B)using sinks.vector).
The instance A sink gets events from multiple sources, the ones that I am using currently are http, syslog and file
Once these events are received on instance B, whats the most efficient way to separate these out again and write them into 3 different files? For ex: if source_type == "syslog", write the events into syslogevents.txt, if source_type == "file", write it into filevents.txt, else write to others.txt.

One way that I can think of doing this is to pass the events through 3 different filter transforms, and then these output would go to 3 different sinks with type as file. Is there any other way of doing it without passing it through 3 filters?
And say if I have to also append something to the event (like enrichment data), would I be able to do it through the filter transform? Or should I pass it again through a remap transform?

Thanks.

[davidhuie-dd]

I think using filter transforms is the easiest way to do it. You could also create unique vector sink/source pairs with different addresses (with unique ports) for each file type, but this feels significantly more complicated. And you can append enrichment data using VRL, but through the remap transform. We even support enrichment tables, which might fit your use case: https://vector.dev/docs/reference/vrl/functions/#find_enrichment_table_records

[bmallya]

Thanks for the response @davidhuie-dd .