Define a source in vector.yaml (or TOML/JSON) with a unique component ID, type (e.g., file, syslog, kafka, http), and any required options such as include paths or address
Add a transform of type remap; set inputs to your source ID and write a VRL program in the source field to parse, enrich, and reshape events—for example: . |= parse_json!(.message) to parse a JSON body into top-level fields
Use VRL's structured error handling (the ! suffix aborts on error; the ? suffix passes errors to a metadata field) to prevent a single malformed event from dropping the entire batch
Add a route transform to fan out events to different sinks based on field values; each route condition is a VRL boolean expression, and unmatched events go to the _unmatched output
Define sinks (loki, elasticsearch, aws_s3, splunk_hec, kafka, etc.) with inputs pointing at the transform or route output IDs; multiple sinks can consume the same transform output for fan-out
Run vector validate --config vector.yaml before deploying to check syntax and component graph integrity; run vector top in a terminal to inspect live event rates per component
Known gotchas
VRL programs run in a sandboxed, pure-functional environment—you cannot make network calls or access external state inside a remap transform; use enrichment tables (file or mmdb type) loaded at startup for static lookups
Vector buffers are in-memory by default; under heavy load or a slow downstream sink, the in-memory buffer fills and Vector applies backpressure to sources—configure disk buffers for sinks where durability matters
The route transform emits unmatched events on the _unmatched output; if no sink consumes _unmatched, those events are silently dropped—always wire _unmatched to a fallback sink or a blackhole sink with logging enabled
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp