https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/377996#M68360 <P>Hi Splunkers.</P> <P>What approach are people using to send events from a TA to different indexes depending on what the hostname?</P> <P>For example:</P> <P>We have the Splunk_TA_nix addon deployed out to our Linux machines.<BR /> We want the same source events pulled in for all of our Linux machines but need the events going to different indexes depending on the host name. For reasons of access/security we need the hosts sending to an index specific that hosts environment</P> <P>i.e. for a given source:<BR /> - host1a, host1b and host1c sends events to "normal_index"<BR /> - host2a, host2b and host2c sends events to "secure_index"</P> <P>Our goal here is to avoid having to maintain multiple Linux TAs, with the only difference being the "index = " line in the inputs.conf.<BR /> I realise this could be done by copying the TA to a different directory name and updating the index.conf in one of them to use a different index name but code inside the TA seems to expect the TA to sit in a directory of "TA_Splunk_nix" and would break if running inside a differently-named directory.</P> <P>I don't want to manually change the directory name in the code as this makes upgrading the TA a nightmare.</P> <P>I've seen something similar to this done using whitelists to detect a hostname in the directory of "monitor" stanzas but this doesn't look to be available for "script" stanzas.</P> <P><STRONG>What I am asking:</STRONG><BR /> What method are people using to send events from a TA to different indexes depending on the hostname?</P> <P>To clarify: I am <EM>not</EM> wanting to send an event to multiple indexes from the same host.<BR /> Thanks.</P> Wed, 30 Sep 2020 01:13:32 GMT torowa 2020-09-30T01:13:32Z https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/377996#M68360 <P>Hi Splunkers.</P> <P>What approach are people using to send events from a TA to different indexes depending on what the hostname?</P> <P>For example:</P> <P>We have the Splunk_TA_nix addon deployed out to our Linux machines.<BR /> We want the same source events pulled in for all of our Linux machines but need the events going to different indexes depending on the host name. For reasons of access/security we need the hosts sending to an index specific that hosts environment</P> <P>i.e. for a given source:<BR /> - host1a, host1b and host1c sends events to "normal_index"<BR /> - host2a, host2b and host2c sends events to "secure_index"</P> <P>Our goal here is to avoid having to maintain multiple Linux TAs, with the only difference being the "index = " line in the inputs.conf.<BR /> I realise this could be done by copying the TA to a different directory name and updating the index.conf in one of them to use a different index name but code inside the TA seems to expect the TA to sit in a directory of "TA_Splunk_nix" and would break if running inside a differently-named directory.</P> <P>I don't want to manually change the directory name in the code as this makes upgrading the TA a nightmare.</P> <P>I've seen something similar to this done using whitelists to detect a hostname in the directory of "monitor" stanzas but this doesn't look to be available for "script" stanzas.</P> <P><STRONG>What I am asking:</STRONG><BR /> What method are people using to send events from a TA to different indexes depending on the hostname?</P> <P>To clarify: I am <EM>not</EM> wanting to send an event to multiple indexes from the same host.<BR /> Thanks.</P> Wed, 30 Sep 2020 01:13:32 GMT https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/377996#M68360 torowa 2020-09-30T01:13:32Z https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/377997#M68361 <P>I suggest you check out the documentation on "Filter event data and send to queues":</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P> <P>Set your inputs.conf on all your Linux machines to "index = normal_index".</P> <P>Now configure routing on your heavy forwarder (or on your indexer if you don't have a heavy forwarder) as follows. props.conf:</P> <PRE><CODE>[host::host2a] TRANSFORMS-index = set_secure_index [host::host2b] TRANSFORMS-index = set_secure_index ... </CODE></PRE> <P>And transforms.com:</P> <PRE><CODE>[set_secure_index] REGEX = . DEST_KEY = _MetaData:Index FORMAT = secure_index </CODE></PRE> Wed, 03 Jul 2019 06:54:26 GMT https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/377997#M68361 whrg 2019-07-03T06:54:26Z https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/530830#M89327 <P>Were you able to get this problem resolved?</P><P>I am facing the same issue in my environment now and any guidance you may have would be appreciated!</P> Wed, 25 Nov 2020 14:14:19 GMT https://community.splunk.com/t5/Getting-Data-In/Send-events-from-TA-to-different-indexes-depending-on-hostname/m-p/530830#M89327 astackpole 2020-11-25T14:14:19Z