https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327843#M60875 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/76857">@manikanta66</a>,</P> <P>_TCP_ROUTING routes set of data to set of servers which you have defined in outputs.conf with stanza starting from <CODE>[tcpout:....]</CODE><BR /> _MetaData:Index will route set of data to different index.</P> <P>Example: _TCP_ROUTING</P> <P>props.conf</P> <PRE><CODE>[test] TRANSFORMS-routing=errorRouting </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[errorRouting] REGEX=error DEST_KEY=_TCP_ROUTING FORMAT=errorGroup </CODE></PRE> <P>outputs.conf</P> <PRE><CODE>[tcpout:errorGroup] server=10.10.0.1:9997, 10.10.0.2:9997 </CODE></PRE> <P>In above example splunk will find <CODE>error</CODE> word from <CODE>test</CODE> sourcetype raw data and it will send it to tcpout group <CODE>errorGroup</CODE> which will send data to 2 indexers in load balanced way.</P> <P>Example: _MetaData:Index</P> <P>props.conf</P> <PRE><CODE>[test] TRANSFORMS-routing=errorRouting </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[errorRouting] REGEX=error DEST_KEY=_MetaData:Index FORMAT= error_index </CODE></PRE> <P>Let's assume that <CODE>test</CODE> sourcetype is sending data to <CODE>ok_index</CODE> index, now based on above example splunk will find raw data from <CODE>test</CODE> sourcetype with word <CODE>error</CODE> and it will write it to <CODE>error_index</CODE> index.</P> <P>I hope this helps.</P> <P>Thanks,<BR /> Harshil</P> Tue, 29 Sep 2020 17:04:11 GMT harsmarvania57 2020-09-29T17:04:11Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327842#M60874 <P>Please give me a practical explanation of <STRONG>DEST_KEY</STRONG> usage in transforms.conf </P> Tue, 05 Dec 2017 11:36:35 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327842#M60874 manikanta66 2017-12-05T11:36:35Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327843#M60875 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/76857">@manikanta66</a>,</P> <P>_TCP_ROUTING routes set of data to set of servers which you have defined in outputs.conf with stanza starting from <CODE>[tcpout:....]</CODE><BR /> _MetaData:Index will route set of data to different index.</P> <P>Example: _TCP_ROUTING</P> <P>props.conf</P> <PRE><CODE>[test] TRANSFORMS-routing=errorRouting </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[errorRouting] REGEX=error DEST_KEY=_TCP_ROUTING FORMAT=errorGroup </CODE></PRE> <P>outputs.conf</P> <PRE><CODE>[tcpout:errorGroup] server=10.10.0.1:9997, 10.10.0.2:9997 </CODE></PRE> <P>In above example splunk will find <CODE>error</CODE> word from <CODE>test</CODE> sourcetype raw data and it will send it to tcpout group <CODE>errorGroup</CODE> which will send data to 2 indexers in load balanced way.</P> <P>Example: _MetaData:Index</P> <P>props.conf</P> <PRE><CODE>[test] TRANSFORMS-routing=errorRouting </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[errorRouting] REGEX=error DEST_KEY=_MetaData:Index FORMAT= error_index </CODE></PRE> <P>Let's assume that <CODE>test</CODE> sourcetype is sending data to <CODE>ok_index</CODE> index, now based on above example splunk will find raw data from <CODE>test</CODE> sourcetype with word <CODE>error</CODE> and it will write it to <CODE>error_index</CODE> index.</P> <P>I hope this helps.</P> <P>Thanks,<BR /> Harshil</P> Tue, 29 Sep 2020 17:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327843#M60875 harsmarvania57 2020-09-29T17:04:11Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327844#M60876 <P>Hi @harsmarvania57,</P> <P>Thanks for your response. I have a doubt in your answer.</P> <H2>as per your 2nd example, the UF contain inputs.conf like below?</H2> <OL> <LI>[monitor://var/www/testing.log]</LI> <LI>disabled = 0</LI> <LI>sourcetype = test</LI> <LI>index = ok_index</LI> </OL> <P>you said "<STRONG>test sourcetype with word error will write it to error_index</STRONG>"<BR /> for the FORMAT key value, you mention <STRONG>error_index</STRONG></P> <P>here my doubts are<BR /> 1.which name I choose for a new index in the indexer<BR /> <STRONG>ok index</STRONG> OR <STRONG>error_index</STRONG>?<BR /> 2.If I have two indexers, How HF will find index without specifying the target-group in the FORMAT?</P> Wed, 06 Dec 2017 12:49:48 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327844#M60876 manikanta66 2017-12-06T12:49:48Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327845#M60877 <P>Based on 2nd example both index will require on your Indexers (<STRONG>ok_index</STRONG> and <STRONG>error_index</STRONG>)</P> <P>Let's say you have below events in your log files</P> <PRE><CODE>30-10-2017GMT17:12:00 ERROR This is error 30-10-2017GMT17:12:50 INFO This is info </CODE></PRE> <P>In this case 1st line(event) will got to <STRONG>error_index</STRONG> and 2nd line(event) will go to <STRONG>ok_index</STRONG></P> <P>You need to specify index name in <CODE>FORMAT</CODE> on HF in 2nd example, otherwise it will not work.</P> Wed, 06 Dec 2017 13:05:19 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327845#M60877 harsmarvania57 2017-12-06T13:05:19Z https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327846#M60878 <P>Thank you @harsmarvania57</P> Thu, 07 Dec 2017 05:48:24 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-difference-between-DEST-KEY-TCP-ROUTING-and-DEST-KEY/m-p/327846#M60878 manikanta66 2017-12-07T05:48:24Z