<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Using INDEX_EVAL Lookup to Route Data to New Index and Sourcetype in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Using-INDEX-EVAL-Lookup-to-Route-Data-to-New-Index-and/m-p/677447#M113256</link>
    <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;I'm looking to change our indexing architecture&lt;/P&gt;&lt;P&gt;We have dozens of AWS accounts. We use the Splunk AWS app to ingest the data from a SQS queue. Currently, we have a single SQS-based input type for each individual AWS account that grabs all the data and applies the index and a catch-all sourcetype named aws:logbucket.&lt;/P&gt;&lt;P&gt;From there, we route the data to a more specific sourcetype based on the type of data. aws:logbucket will be changed to aws:cloudwatch:vpcflowlogs, aws:cloudtrail, aws:config, etc.&lt;/P&gt;&lt;P&gt;This has worked well enough for us, but I now have a new requirement.&lt;/P&gt;&lt;P&gt;For each of these AWS accounts, I want a separate index for the specific AWS service by AWS account. ie) awsaccount1-vpcflow, awsaccount1-cloudtrail, awsaccount2-vpcflow, etc. We use S2, so storing aws:cloudtrail with aws:cloudwatch:vpcflow hurts the performance of aws:cloudtrail data. Searching for aws:cloudtrail data requires us to write back all aws:cloudwatch:vpcflow data back to disk. This has accounted for 120x more buckets required written to disk for aws:cloudtrail since it's stored with VPCFlow. Expanding these indexes to be more specific will have huge performance improvements for my Splunk environment&lt;/P&gt;&lt;P&gt;I would like to use a lookup table to match the source of the SQS-based S3 to specify the index and sourcetype. I am unable to do this using regex and FORMAT, since the bucket names and index names are not a 1-1 match. ie) for s3://acc1/cloudtrail/..., I would like to have a lookup table that tells it to route to index account1 and sourcetype aws:cloudtrail, for s3://acc2/config/... I would like to have it route to index account2 and sourcetype aws:config.&lt;/P&gt;&lt;P&gt;After that long summary... how do I technically implement this and how will a lookup with ~300-400 different rows affect performance?&lt;/P&gt;&lt;P&gt;Thank you,&lt;/P&gt;&lt;P&gt;Nate&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Tue, 13 Feb 2024 17:33:15 GMT</pubDate>
    <dc:creator>nateloepker</dc:creator>
    <dc:date>2024-02-13T17:33:15Z</dc:date>
    <item>
      <title>Using INDEX_EVAL Lookup to Route Data to New Index and Sourcetype</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Using-INDEX-EVAL-Lookup-to-Route-Data-to-New-Index-and/m-p/677447#M113256</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;I'm looking to change our indexing architecture&lt;/P&gt;&lt;P&gt;We have dozens of AWS accounts. We use the Splunk AWS app to ingest the data from a SQS queue. Currently, we have a single SQS-based input type for each individual AWS account that grabs all the data and applies the index and a catch-all sourcetype named aws:logbucket.&lt;/P&gt;&lt;P&gt;From there, we route the data to a more specific sourcetype based on the type of data. aws:logbucket will be changed to aws:cloudwatch:vpcflowlogs, aws:cloudtrail, aws:config, etc.&lt;/P&gt;&lt;P&gt;This has worked well enough for us, but I now have a new requirement.&lt;/P&gt;&lt;P&gt;For each of these AWS accounts, I want a separate index for the specific AWS service by AWS account. ie) awsaccount1-vpcflow, awsaccount1-cloudtrail, awsaccount2-vpcflow, etc. We use S2, so storing aws:cloudtrail with aws:cloudwatch:vpcflow hurts the performance of aws:cloudtrail data. Searching for aws:cloudtrail data requires us to write back all aws:cloudwatch:vpcflow data back to disk. This has accounted for 120x more buckets required written to disk for aws:cloudtrail since it's stored with VPCFlow. Expanding these indexes to be more specific will have huge performance improvements for my Splunk environment&lt;/P&gt;&lt;P&gt;I would like to use a lookup table to match the source of the SQS-based S3 to specify the index and sourcetype. I am unable to do this using regex and FORMAT, since the bucket names and index names are not a 1-1 match. ie) for s3://acc1/cloudtrail/..., I would like to have a lookup table that tells it to route to index account1 and sourcetype aws:cloudtrail, for s3://acc2/config/... I would like to have it route to index account2 and sourcetype aws:config.&lt;/P&gt;&lt;P&gt;After that long summary... how do I technically implement this and how will a lookup with ~300-400 different rows affect performance?&lt;/P&gt;&lt;P&gt;Thank you,&lt;/P&gt;&lt;P&gt;Nate&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 13 Feb 2024 17:33:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Using-INDEX-EVAL-Lookup-to-Route-Data-to-New-Index-and/m-p/677447#M113256</guid>
      <dc:creator>nateloepker</dc:creator>
      <dc:date>2024-02-13T17:33:15Z</dc:date>
    </item>
  </channel>
</rss>

