route data to different index based on two fields

kittu26 — Mon, 26 May 2014 05:57:40 GMT

For the below data, I want to route indexes based on two fields : EventType and Department. All departments have separate indexes for TRACE events and non-TRACE events.

When EventType is TRACE and department is Department1
Then event should go to index Department1_TRACE

All non-TRACE event types (WARN,ERROR) should go to respective Department Index.
Like, WARN/ERROR event for Department2 should go to Index Department2.

Please help me with configuration files.

<?xml version="1.0" encoding="UTF-8"?>
<addresses>
  <address>
  <LogTime>02/22/2014 07:15:49 AM</LogTime>
<EventType>TRACE</EventType>
<Department>Department1</Department>
    <name>Joe Tester</name>
    <street>Baker street 5</street>
  </address>
   <address>
  <LogTime>02/22/2014 08:15:49 AM</LogTime>
<EventType>Error</EventType>
<Department>Department2</Department>
    <name>Joe Tester</name>
    <street>Baker street 5</street>
       </address> 
   <address>
  <LogTime>02/22/2014 09:15:49 AM</LogTime>
<EventType>WARN</EventType>
<Department>Department3</Department>
    <name>Joe Tester</name>
    <street>Baker street 5</street>
      </address>
</addresses>

Thanks!

Re: route data to different index based on two fields

DavidHourani — Mon, 26 May 2014 18:54:43 GMT

Check this out http://answers.splunk.com/answers/133299/route-data-to-indexes-based-on-fields it might be close to what you are looking for 😄

topic Re: route data to different index based on two fields in Getting Data In

route data to different index based on two fields

Re: route data to different index based on two fields