https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59086#M818 <P>We have data from this host that is going to indexA. I really want to be able to keep my hands off the LWF configuration so I don't have to set those up.</P> Thu, 30 Sep 2010 06:07:57 GMT the_wolverine 2010-09-30T06:07:57Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59079#M811 <P>I have syslog-ng data coming from LWFs that have been earmarked for indexA. I want to intercept these events and reroute them to another index called indexB. It doesn't seem to be working. Am I missing something basic?</P> <P>The sourcetype is syslog so in props I have:</P> <PRE><CODE>[syslog] TRANSFORMS-route = route2indexB </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[route2indexB] REGEX=(192.168.1.12) DEST_KEY = _MetaData:Index FORMAT = indexB </CODE></PRE> <P>I've tried multiple iterations of this configuration including using source and host in props.conf. I can't seem to get the data to go to indexB. </P> Tue, 28 Sep 2010 04:58:12 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59079#M811 the_wolverine 2010-09-28T04:58:12Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59080#M812 <P>please provide a complete splunk diag</P> Tue, 28 Sep 2010 10:14:11 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59080#M812 gkanapathy 2010-09-28T10:14:11Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59081#M813 <P>You are doing IT wrong</P> Tue, 28 Sep 2010 22:40:03 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59081#M813 Simeon 2010-09-28T22:40:03Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59082#M814 <P>Har Har Har, guys.</P> Tue, 28 Sep 2010 23:02:41 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59082#M814 the_wolverine 2010-09-28T23:02:41Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59083#M815 <P>Simeon, how am I doing IT wrong?</P> Tue, 28 Sep 2010 23:19:52 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59083#M815 the_wolverine 2010-09-28T23:19:52Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59084#M816 <P>instead of doing it with props/transforms, why do you not tell the LWF to send to indexB? Rerouting with props/transforms even if possible should cause slowness in indexing...</P> Wed, 29 Sep 2010 04:50:34 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59084#M816 Genti 2010-09-29T04:50:34Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59085#M817 <P>Continuing my comment:<BR /> Telling the LWF where to send the data should be cheaper (resourcewise) and quite easy. here's an answer with a similar idea: <A href="http://answers.splunk.com/questions/5134/can-i-forward-different-data-inputs-to-different-splunk-indexers-on-a-light-forwa" rel="nofollow">http://answers.splunk.com/questions/5134/can-i-forward-different-data-inputs-to-different-splunk-indexers-on-a-light-forwa</A></P> Wed, 29 Sep 2010 04:54:39 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59085#M817 Genti 2010-09-29T04:54:39Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59086#M818 <P>We have data from this host that is going to indexA. I really want to be able to keep my hands off the LWF configuration so I don't have to set those up.</P> Thu, 30 Sep 2010 06:07:57 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59086#M818 the_wolverine 2010-09-30T06:07:57Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59087#M819 <P>Turns out the LWF was not a LWF. It was a heavyweight forwarder <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> <P>Thanks to Raitz for figuring that out. He spotted the _linebreaker in the tcpdump output which is an indication of cooked data.</P> <P>I had the system owner enable LWF from CLI and all is working as expected.</P> Thu, 30 Sep 2010 06:09:48 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59087#M819 the_wolverine 2010-09-30T06:09:48Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59088#M820 <P>Here's the tcpdump command that was run at the indexer: /usr/sbin/tcpdump -A -s 1512 host <IP_ADDRESS> and port 9997</IP_ADDRESS></P> Thu, 30 Sep 2010 06:13:05 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59088#M820 the_wolverine 2010-09-30T06:13:05Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59089#M821 <P>Wow. Would have been easier if you'd sent a Splunk diag.</P> Thu, 30 Sep 2010 10:50:37 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59089#M821 gkanapathy 2010-09-30T10:50:37Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59090#M822 <P>Ghetto. If you had control over the forwarder configs, maybe you could actually be sure it was a LWF.</P> Thu, 30 Sep 2010 10:51:01 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59090#M822 gkanapathy 2010-09-30T10:51:01Z https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59091#M823 <P>I'm not here to babysit forwarders <span class="lia-unicode-emoji" title=":winking_face:">😉</span> Not Ghetto.</P> Thu, 30 Sep 2010 22:40:36 GMT https://community.splunk.com/t5/Splunk-Dev/Reroute-data-that-is-marked-for-an-index/m-p/59091#M823 the_wolverine 2010-09-30T22:40:36Z