<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298939#M56539</link>
    <description>&lt;P&gt;I have tried this method that you suggested but it did not work either. It does not seem that the REGEX statement within the setnull stanza is the problem....regardless of what I change the REGEX to I cannot seem to get the data to parse to any index while using the setnull/nullQueue option...which is why it seems like there is a conflict with using nullQueue and _Metadata:Index because either of those work independently of each other but when used together it doesn't work. &lt;/P&gt;</description>
    <pubDate>Wed, 23 Aug 2017 20:05:59 GMT</pubDate>
    <dc:creator>mmcgrew</dc:creator>
    <dc:date>2017-08-23T20:05:59Z</dc:date>
    <item>
      <title>Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298935#M56535</link>
      <description>&lt;P&gt;I have one source directory in the inputs.conf file that I need to parse out and send different events to different Indexes. &lt;BR /&gt;
I attempt to do this by using the _Metadata:Index Key within the transforms.conf file.  While this works, ( I can direct events to different indexes using _Metadata:Index), I cannot send my unwanted items to nullQueue. The problem this creates is all the leftover events (that didn't match a regex statement I had in transforms.conf) gets sent to the default Index I defined in inputs.conf. I should be able to send all items that don't match my regex statement to nullQueue but I cannot do this while utilizing the _Metadata:Index Key in transforms.conf....looking below at the examples I've provided, once I use the "TRANSFORMS-null=setnull"  in the props.conf file - nothing works (none of my data ends up in any index). I have tried moving the  "TRANSFORMS-null=setnull" around to the top and bottom of the props file but still get nothing...once I remove the  "TRANSFORMS-null=setnull" statement from the props.conf file, I get the data I want in index2 and index3 but then get all the leftover data I don't want in index1. It seems as though whatever index is defined in the inputs.conf file will get all the leftover items as it is interpreted as the default index. If I could use nullQueue, then everything would be good. Any suggestions or help is appreciated. Thanks.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;inputs.conf&lt;/STRONG&gt;&lt;BR /&gt;
[monitor:///opt/sdata/events/server-A/splunk*]&lt;BR /&gt;
host = server-A&lt;BR /&gt;
source = A&lt;BR /&gt;
sourcetype = data1&lt;BR /&gt;
index = index1&lt;BR /&gt;
disabled = 0&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;props.conf&lt;/STRONG&gt;&lt;BR /&gt;
[host::server-A]&lt;BR /&gt;
TRANSFORMS-set1 = setparsingdata1&lt;BR /&gt;
[host::server-A]&lt;BR /&gt;
TRANSFORMS-set2 = setparsingdata2&lt;BR /&gt;
[host::server-A]&lt;BR /&gt;
TRANSFORMS-null = setnull&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;&lt;BR /&gt;
[setnull]&lt;BR /&gt;
REGEX = .&lt;BR /&gt;
DEST_KEY = queue&lt;BR /&gt;
FORMAT = nullQueue&lt;/P&gt;

&lt;P&gt;[setparsingdata1]&lt;BR /&gt;
REGEX = ((^(?=.&lt;EM&gt;Summary="BGP Peer Connection Established.&lt;/EM&gt;").+))&lt;BR /&gt;
DEST_KEY = _MetaData:Index&lt;BR /&gt;
FORMAT = index2&lt;/P&gt;

&lt;P&gt;[setparsingdata2]&lt;BR /&gt;
REGEX = ((^(?=.&lt;EM&gt;Summary="BGP Peer Connection Idle.&lt;/EM&gt;").+))&lt;BR /&gt;
DEST_KEY = _MetaData:Index&lt;BR /&gt;
FORMAT = index3&lt;/P&gt;</description>
      <pubDate>Wed, 23 Aug 2017 17:25:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298935#M56535</guid>
      <dc:creator>mmcgrew</dc:creator>
      <dc:date>2017-08-23T17:25:53Z</dc:date>
    </item>
    <item>
      <title>Re: Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298936#M56536</link>
      <description>&lt;P&gt;Give this a try [untested, to try on some sandbox first) (no changes to inputs.conf)&lt;/P&gt;

&lt;P&gt;props.conf (make sure to keep the setnull as leftmost entry)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[host::server-A]
TRANSFORMS-set1 = setnull,setparsingdata1,setparsingdata2
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;&lt;STRONG&gt;Updated&lt;/STRONG&gt;&lt;BR /&gt;
transforms.conf&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = ^(?!.Summary=\"BGP Peer Connection (Established|Idle).)
DEST_KEY = queue
FORMAT = nullQueue

[setparsingdata1]
REGEX = ((^(?=.Summary="BGP Peer Connection Established.").+))
DEST_KEY = _MetaData:Index
FORMAT = index2

[setparsingdata2]
REGEX = ((^(?=.Summary="BGP Peer Connection Idle.").+))
DEST_KEY = _MetaData:Index
FORMAT = index3
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 23 Aug 2017 17:48:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298936#M56536</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2017-08-23T17:48:08Z</dc:date>
    </item>
    <item>
      <title>Re: Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298937#M56537</link>
      <description>&lt;P&gt;Thank you for the quick response. I just tried this but no luck...no data getting to any of the indexes. Once I remove the setnull...it works - but then I end up indexing a bunch of unwanted events. &lt;/P&gt;</description>
      <pubDate>Wed, 23 Aug 2017 18:01:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298937#M56537</guid>
      <dc:creator>mmcgrew</dc:creator>
      <dc:date>2017-08-23T18:01:16Z</dc:date>
    </item>
    <item>
      <title>Re: Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298938#M56538</link>
      <description>&lt;P&gt;Try the updated answer.&lt;/P&gt;</description>
      <pubDate>Wed, 23 Aug 2017 19:30:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298938#M56538</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2017-08-23T19:30:21Z</dc:date>
    </item>
    <item>
      <title>Re: Can I still send data to nullQueue while using _MetaData:Index to send data to an Alternate Index?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298939#M56539</link>
      <description>&lt;P&gt;I have tried this method that you suggested but it did not work either. It does not seem that the REGEX statement within the setnull stanza is the problem....regardless of what I change the REGEX to I cannot seem to get the data to parse to any index while using the setnull/nullQueue option...which is why it seems like there is a conflict with using nullQueue and _Metadata:Index because either of those work independently of each other but when used together it doesn't work. &lt;/P&gt;</description>
      <pubDate>Wed, 23 Aug 2017 20:05:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Can-I-still-send-data-to-nullQueue-while-using-MetaData-Index-to/m-p/298939#M56539</guid>
      <dc:creator>mmcgrew</dc:creator>
      <dc:date>2017-08-23T20:05:59Z</dc:date>
    </item>
  </channel>
</rss>

