https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160502#M32536 <P>Hi, All.</P> <P>I'm trying to send specific hostnames to a different index, but not making a lot of progress.<BR /> We have 2 forwarders (splunkforwarder), 1 indexer and 1 search head.</P> <P>I've put the following configs under <EM>$SPLUNK_HOME/etc/system/local/</EM></P> <P>props.conf:</P> <PRE><CODE>[host::*.mpls.domain.com] TRANSFORMS-index = mpls </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[mpls] REGEX = . DEST_KEY = _MetaData:Index FORMAT = mpls </CODE></PRE> <P>Restarted splunk, but data keeps going to the main index.<BR /> Any ideas how I can troubleshoot that, please?</P> Mon, 12 May 2014 15:54:48 GMT ebastos 2014-05-12T15:54:48Z https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160502#M32536 <P>Hi, All.</P> <P>I'm trying to send specific hostnames to a different index, but not making a lot of progress.<BR /> We have 2 forwarders (splunkforwarder), 1 indexer and 1 search head.</P> <P>I've put the following configs under <EM>$SPLUNK_HOME/etc/system/local/</EM></P> <P>props.conf:</P> <PRE><CODE>[host::*.mpls.domain.com] TRANSFORMS-index = mpls </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[mpls] REGEX = . DEST_KEY = _MetaData:Index FORMAT = mpls </CODE></PRE> <P>Restarted splunk, but data keeps going to the main index.<BR /> Any ideas how I can troubleshoot that, please?</P> Mon, 12 May 2014 15:54:48 GMT https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160502#M32536 ebastos 2014-05-12T15:54:48Z https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160503#M32537 <P>Your configuration looks correct. Where is it applied? It needs to be on the indexer. I would use btool to make sure the configuration is coming out like expected:</P> <PRE><CODE>splunk cmd btool --debug props list "host::*.mpls.domain.com" splunk cmd bootl --debug transforms list "mpls" </CODE></PRE> Mon, 12 May 2014 16:31:11 GMT https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160503#M32537 dwaddle 2014-05-12T16:31:11Z https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160504#M32538 <P>Good news is that the debug command works.<BR /> Bad news is that I still don't see why it's not working. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>The files are indeed on the indexer.</P> <P>/opt/splunk/etc/system/local/transforms.conf [mpls]<BR /> /opt/splunk/etc/system/local/transforms.conf DEST_KEY = _MetaData:Index<BR /> /opt/splunk/etc/system/local/transforms.conf FORMAT = mpls<BR /> /opt/splunk/etc/system/local/transforms.conf REGEX = .</P> Mon, 12 May 2014 16:47:23 GMT https://community.splunk.com/t5/Getting-Data-In/Different-index-based-on-hostname/m-p/160504#M32538 ebastos 2014-05-12T16:47:23Z