topic Re: Heavy Forwarder configure to populate data to two separate indexes in Getting Data In

Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Mon, 28 Sep 2020 14:17:23 GMT

We are running a heavy forwarder. We want to send the perfmon data that it is currently receiving to two separate indexes. the Perfmon:CPU Load to index perfmon_cpu_load, and the Perfmon: Available Memory to perfmon_memory. How would we configure a heavy forwarder to do this? Ity is currently sending the data into main on the indexer. This forwarder does not have indexing currently enabled.

This is our current props.conf stanza:
[perfmon_cpu_load]
TRANSFORMS-routing=perfmon_cpu_load

[perfmon_memory]
TRANSFORMS-routing=perfmon_memory

This is our current transforms.conf stanzas:

[perfmon_cpu_load]
SOURCETYPE=Perfmon:CPU Load
DEST_KEY=_MetaData:Index
FORMAT=perfmon_cpu_load

[perfmon_memory]
SOURCETYPE=Perfmon:Avalible Memory
DEST_KEY=_MetaData:Index
FORMAT=perfmon_memory

Re: Heavy Forwarder configure to populate data to two separate indexes

lguinn2 — Tue, 09 Jul 2013 19:50:52 GMT

Transforms.conf does not have a sourcetype key. Your stanza needs to look like this

[perfmon_memory]
SOURCE_KEY = MetaData:Sourcetype
REGEX =Perfmon\:Available Memory
DEST_KEY=_MetaData:Index
FORMAT=perfmon_memory

[perfmon_cpu_load]
SOURCE_KEY = MetaData:Sourcetype
REGEX=Perfmon\:CPU Load
DEST_KEY=_MetaData:Index
FORMAT=perfmon_cpu_load

These settings are specified in transforms.conf.spec which can be found in your Splunk installation under $SPLUNK_HOME/etc/system/README or in the documentation on transforms.conf

Re: Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Tue, 09 Jul 2013 20:02:33 GMT

This does not seem to be working the data is still only appearing in the "main" index. Anyone have any other ideas?

Re: Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Wed, 10 Jul 2013 12:45:26 GMT

Does indexing need to be enabled on the forwarder for this to work correctly?

Re: Heavy Forwarder configure to populate data to two separate indexes

lguinn2 — Wed, 10 Jul 2013 17:30:04 GMT

You should not enable indexing on the forwarder - this will cause the data to be stored locally on the heavy forwarder, which you do not want.

Re: Heavy Forwarder configure to populate data to two separate indexes

lguinn2 — Wed, 10 Jul 2013 18:44:39 GMT

The question that comes to mind is "when and how is the sourcetype assigned for Windows event logs?" Perhaps the sourcetyping is not complete at the time these transforms are run. So perhaps we need to find a different SOURCE_KEY and REGEX -- or look into altering the order of evaluation of the transformations...

Re: Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Thu, 11 Jul 2013 13:01:59 GMT

Is their anyway to see the raw data as it comes to the heavy forwarder? You maybe right maybe these sourcetypes are being applied at/after the time of indexing.

Re: Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Mon, 28 Sep 2020 14:19:12 GMT

Ok I found the raw data:
07/11/2013 08:35:59.720
collection="CPU Load"
object=Processor
counter="% User Time"
instance=_Total
Value=0.46874700001919994
should I use the key value pair [collection="CPU Load"]?
something like this
[perfmon_cpu_load]
SOURCE_KEY = MetaData:collection
REGEX=CPU Load
DEST_KEY=_MetaData:Index
FORMAT=perfmon_cpu_load

Re: Heavy Forwarder configure to populate data to two separate indexes

mookiie2005 — Thu, 11 Jul 2013 13:46:56 GMT

I should point out that we have a universal forwarder sending perfmon data to the heavy forwarder. Could we not use indexing on the heavy forwarder to assign sourcetype to the data and than forward that data on to the indexers based on sourcetype since it does not seem to be defined in the raw data? The reason we have a universal forwarder sending data to the heavy forwarder is so we can load balance the data between the two indexers.