https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164230#M33289 <P>Forwarder- outputs.conf</P> <P>[tcpout:splunkssl]<BR /> server = splunk.abc.com:9997<BR /> compressed = true</P> <P>[tcpout-server://splunk.abc.com:9997]<BR /> sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem<BR /> sslPassword = password<BR /> sslRootCAPath = $SPLUNK_HOME/etc/certs/cacert.pem</P> Mon, 28 Sep 2020 17:14:43 GMT dhavamanis 2020-09-28T17:14:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164226#M33285 <P>Can you please provide sample configuration for the below, We have multiple forwarding sources and they are using syslog-ng. how to assign index based on log filename at indexer side.</P> <P>Example :</P> <P>mynbc-syslog-2015-07-30.log pattern files to go "mynbc" index<BR /> msnbc-syslog-2015-07-29.log patter files to go "msnbc" index<BR /> bravotv-syslog-2015-08-01_1.log patter files to go "bravotv" index</P> Wed, 30 Jul 2014 17:58:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164226#M33285 dhavamanis 2014-07-30T17:58:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164227#M33286 <P>Check this<BR /> <A href="http://answers.splunk.com/answers/38547/sending-certain-logs-from-udp-port-514-to-specific-indexes">http://answers.splunk.com/answers/38547/sending-certain-logs-from-udp-port-514-to-specific-indexes</A></P> Wed, 30 Jul 2014 20:18:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164227#M33286 strive 2014-07-30T20:18:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164228#M33287 <P>Can you please provide the sample REGEX while using the the file name pattern like this ${sitename}.${logname} ${Existing MSG}. we want to parse the sitename and assign to index name.</P> Fri, 01 Aug 2014 14:47:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164228#M33287 dhavamanis 2014-08-01T14:47:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164229#M33288 <P>trying with the below config, seems its not working for me, Can you please correct this if anything wrong,</P> <P>props.conf</P> <P>[syslog]<BR /> TRANSFORMS-idx_routing = generic_idx_routing</P> <P>transforms.conf (created index abc)</P> <P>[generic_idx_routing]<BR /> SOURCE_KEY = MetaData:Host<BR /> REGEX = abc.xyz.\nbcu.com<BR /> DEST_KEY = _MetaData:Index<BR /> FORMAT = $1</P> <P>inputs.conf</P> <P>[splunktcp-ssl:9997]<BR /> compressed = true<BR /> sourcetype = syslog</P> <P>[SSL]<BR /> password = password<BR /> requireClientCert = false<BR /> rootCA = $SPLUNK_HOME/etc/certs/cacert.pem<BR /> serverCert = $SPLUNK_HOME/etc/certs/splunknode.pem</P> Mon, 28 Sep 2020 17:14:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164229#M33288 dhavamanis 2020-09-28T17:14:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164230#M33289 <P>Forwarder- outputs.conf</P> <P>[tcpout:splunkssl]<BR /> server = splunk.abc.com:9997<BR /> compressed = true</P> <P>[tcpout-server://splunk.abc.com:9997]<BR /> sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem<BR /> sslPassword = password<BR /> sslRootCAPath = $SPLUNK_HOME/etc/certs/cacert.pem</P> Mon, 28 Sep 2020 17:14:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164230#M33289 dhavamanis 2020-09-28T17:14:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164231#M33290 <P>Filename-based transforms.conf use the <CODE>source</CODE> key from the metadata like this:</P> <PRE><CODE>[send_to_index_by_source] SOURCE_KEY = MetaData:Source REGEX = ^source::/path/to/files/(\w+)-syslog DEST_KEY = _MetaData:Index FORMAT = $1 </CODE></PRE> <P>Reference that in props.conf with <CODE>TRANSFORMS-foo = send_to_index_by_source</CODE>.</P> Fri, 01 Aug 2014 21:12:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-assign-syslog-file-to-specific-index-based-on-file-name/m-p/164231#M33290 martin_mueller 2014-08-01T21:12:10Z