topic Re: Change index based on source and index from different environments in Getting Data In

Change index based on source and index from different environments

splunkreal — Thu, 03 Apr 2025 21:11:40 GMT

Hello,

we have Windows servers from two environments, we want WinEventLog source (Windows Events logs) to go in "windows" index from main environment and secondary environment to go to "sec_windows". On UF from secondary environment we have setup inputs.conf with index = sec_windows but this doesn't work : all goes to windows index, could you help ? Thank you very much.

props.conf [source::WinEventLog:*] TRANSFORMS-set_index_sec_windows = set_index_sec_windows TRANSFORMS-set_index_windows_wineventlog = set_index_windows_wineventlog transforms.conf # Windows [set_index_windows_wineventlog] SOURCE_KEY = MetaData:Source REGEX = WinEventLog DEST_KEY = _MetaData:Index FORMAT = windows [set_index_sec_windows] SOURCE_KEY = _MetaData:Index REGEX = sec_windows DEST_KEY = _MetaData:Index FORMAT = sec_windows

Re: Change index based on source and index from different environments

livehybrid — Thu, 03 Apr 2025 21:31:21 GMT

Hi @splunkreal

Are you able to set the index in the inputs.conf on the UF on in your secondary environment?

If not then you will need to use props/transforms as described - However this configuration will not work by default on a UF as this parsing is done on a HF/Indexer. I presume this is currently applied to the UF, otherwise it would also change the configuration for your primary environment?

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Re: Change index based on source and index from different environments

splunkreal — Fri, 04 Apr 2025 06:28:46 GMT

Hello yes UF is already setup on secondary environment. On first environment we use _TCP_ROUTING as we also have two Splunk platforms...

Re: Change index based on source and index from different environments

gcusello — Fri, 04 Apr 2025 07:40:17 GMT

Hi @splunkreal ,

as @livehybrid said, the easiest approach is to create two copies of the Splunk_TA_Windows that differ only for the index in the input stanzas.

If not possible, you could follow the approach that you described.

Remember that in the second case, you have to put these configurations not in the Universal Forwarders, but in the first full Splunk instance that data pass throug, in other words on indexers or, if present on intermediate Heavy Forwarders.

Ciao.

Giuseppe

Re: Change index based on source and index from different environments

livehybrid — Mon, 07 Apr 2025 14:24:43 GMT

If you're applying those props/transforms to the UF then that would explain why it isnt taking effect - the parsing is not carried out on the UF (except specifically enabled!) so they will need applying on the HF, unless you're able to set the correct index values on the secondary environment UFs.

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Change index based on source and index from different environments

splunkreal — Mon, 07 Apr 2025 15:34:42 GMT

Hello, we found solution, there was metadata index source key that was possible to use. Thanks for your help guys.