topic Re: Routing not working as expected in Getting Data In

Routing not working as expected

mikefoti — Mon, 28 Sep 2020 10:08:49 GMT

I made the following edits in the to the local\props and transforms files in order to redirect all events coming from the Splunk UF on the host name fofrd to the index name tmg:

props.conf

[host::fofrd]
TRANSFORMS-force_index_for_fofrd = force_index_tmg

transforms.conf

[force_index_tmg]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = tmg

After the edits I restared splunkd and the SUF service on the other host. But I'm not getting what I expected. While I do get SOME events routed to the new TMG index, thy all seem to be related to the SplunkUF service itself. Other events, the ones I care about, still get forwarded to the defauel index.

Re: Routing not working as expected

_d_ — Wed, 23 Nov 2011 20:37:49 GMT

The reason for this behavior is that the field host of those events is not fofrd. fofrd is the host of events that originate from the UF itself. What I suggest you to do in this case is to use either the host of the events or source:: (instead of host::) in your props and list all sources from that UF. Ex:

props.conf [source::/my/path/being/monitored] TRANSFORMS-force_index_for_fofrd = force_index_tmg

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Re: Routing not working as expected

mikefoti — Fri, 25 Nov 2011 14:11:24 GMT

Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.