topic Re: Setting the index in props.conf in Getting Data In

Setting the index in props.conf

las — Mon, 05 Nov 2012 14:54:41 GMT

I have a configuration with a log root with several log files, most of these are harmless, but one file contains confidential information.

logroot\loga.log
logroot\logb.log  
logroot\secure.log

my inputs.conf monitors logroot.

I then use props.conf to set the sourcetype, but I would like to be able to route the secure.log to a different index.

Do I have to use a transform, and use ressources on my indexer, or could I specify this in either props og inputs.conf and do the selection on the universalForwarder?

Re: Setting the index in props.conf

Ayn — Mon, 05 Nov 2012 15:42:12 GMT

Why are you using props.conf to set sourcetype? The easiest is to do this directly in inputs.conf. Same goes for index.

Re: Setting the index in props.conf

yannK — Mon, 05 Nov 2012 15:55:03 GMT

2 remarks :

The Universal Forwarder cannot parse events. Any filtering has to happend at index time, therefore it has to be setup on the indexers or on a heavy forwarder.
if you already use a filter to change the sourcetype, you can add a new transforms to change the meta fiel "index" You will need : props.conf, transforms.conf see http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index

Re: Setting the index in props.conf

yannK — Mon, 05 Nov 2012 15:57:48 GMT

An easier alternative is to define a special inputs on your specific file that will setup the destination index.
A stanza that has an exact path will have precedence over one with a wilcard.

[monitor://logroot\*.log]
sourcetype=mygenericsourcetype
index=mygenericindex

[monitor://logroot\secure.log]
sourcetype=myspecificsourcetype
index=myspecificindex

Re: Setting the index in props.conf

bmacias84 — Mon, 05 Nov 2012 16:40:44 GMT

I would add a blacklist your generic monitor.



[monitor://logroot\*.log]

sourcetype=mygenericsourcetype

blacklist = secure.log$

index=mygenericindex

\

[monitor://logroot\secure.log]

sourcetype=myspecificsourcetype

index=myspecificindex

Re: Setting the index in props.conf

las — Tue, 06 Nov 2012 07:27:51 GMT

The files in the directory has different sourcetypes, so I need to set it on a per file basis.

Re: Setting the index in props.conf

las — Tue, 06 Nov 2012 07:30:09 GMT

Yes, that is why, I wondered if it was possible to do it earlier in the process, as it is not a per event filtering, but a per file.

Re: Setting the index in props.conf

las — Tue, 06 Nov 2012 07:30:45 GMT

Thanks, I will play around with this solution.

Re: Setting the index in props.conf

triest — Tue, 04 Mar 2014 14:24:09 GMT

Just FYI the generic with a blacklist and then a more specific monitor does not work in Splunk 6. Support has said it was never officially supported but the rules were a bit lose and have been tightened in 6.