https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379939#M68626 <P>yep, that should work</P> Mon, 25 Mar 2019 22:16:28 GMT MuS 2019-03-25T22:16:28Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379932#M68619 <P>I'm currently sending logs from a UF &gt; HF &gt; two indexer clusters. </P> <P>I have the need to set the index name at the indexing layer, since the name of the index will be different, depending on the indexer cluster. </P> <P>I tried putting the following props and transforms at the indexing layer:</P> <P>props.conf:</P> <PRE><CODE>[my:sourcetype] TRANSFORMS-route_to_new_index = set_new_index </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[set_new_index] SOURCE_KEY = MetaData:Sourcetype DEST_KEY =_MetaData:Index REGEX = (sourcetype::my:sourcetype) FORMAT = new_index </CODE></PRE> <P>This does not change the index, however placing these same props and transforms on the HF does change the index. This doesn't help me though since the index name needs to be set <STRONG>after</STRONG> the data is split off to each indexer cluster. Is it really not possible to do this at the indexer layer when a HF is involved? Any other suggestions on how to accomplish the index rename?</P> <P>Thanks</P> Mon, 25 Mar 2019 20:49:00 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379932#M68619 ehowardl3 2019-03-25T20:49:00Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379933#M68620 <P>@ehowardl3 is the data split/cloned to both idx clusters or load balanced?</P> Mon, 25 Mar 2019 20:56:45 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379933#M68620 MuS 2019-03-25T20:56:45Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379934#M68621 <P>@MuS, thanks for your time. The data is split/cloned to both idx clusters.</P> Mon, 25 Mar 2019 20:58:30 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379934#M68621 ehowardl3 2019-03-25T20:58:30Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379935#M68622 <P>please hold, this can be done on the HWF <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Mon, 25 Mar 2019 20:59:29 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379935#M68622 MuS 2019-03-25T20:59:29Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379936#M68623 <P>Hi ehowardl3,</P> <P>first you need to have two separate <CODE>tcpout</CODE> entries in <CODE>outputs.conf</CODE> of your HWF:</P> <PRE><CODE>[tcpout] defaultGroup = cluster1 [tcpout:cluster1] server = &lt;ip address&gt;:&lt;port&gt; [tcpout:cluster2] server = &lt;ip address&gt;:&lt;port&gt; </CODE></PRE> <P>Next you need a <CODE>props.conf</CODE> like the one you had with an additional line:</P> <PRE><CODE>[my:sourcetype] TRANSFORMS-001-route_to_new_index_cluster2 = 001-route_to_new_index_cluster2, 002-route_to_cluster2 </CODE></PRE> <P>then in <CODE>transforms.conf</CODE> you set it up like this:</P> <PRE><CODE>[001-route_to_new_index_cluster2] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index # set to what ever you want [002-route_to_cluster2] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster2 # which is the name from outputs.conf </CODE></PRE> <P>The option <CODE>defaultGroup=cluster1</CODE> in <CODE>outputs.conf</CODE> will send all data unchanged to <CODE>cluster1</CODE>.</P> <P>After applying this config you need to restart the HWF.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 25 Mar 2019 21:12:06 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379936#M68623 MuS 2019-03-25T21:12:06Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379937#M68624 <P>Refer to MuS's feedback but "Is it really not possible to do this at the indexer layer when a HF is involved?", not under normal circumstances. Once data is parsed it is not re-parsed at the next tier, so transforms do not apply twice.</P> <P>While there are advanced tricks to "recook" the data it would not make sense for your scenario.</P> Mon, 25 Mar 2019 21:51:51 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379937#M68624 gjanders 2019-03-25T21:51:51Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379938#M68625 <P>Thank you! This makes sense and should work for me. So if there are two different source types that I need to send to two different indexes, I'm assuming the props and transforms would look something like this:</P> <P>transforms.conf:</P> <PRE><CODE>[001-route_to_new_index_cluster2] SOURCE_KEY = MetaData:Sourcetype DEST_KEY =_MetaData:Index REGEX = (sourcetype::my:sourcetype1) FORMAT = my_new_index1 [002-route_to_new_index_cluster2] SOURCE_KEY = MetaData:Sourcetype DEST_KEY =_MetaData:Index REGEX = (sourcetype::my:sourcetype2) FORMAT = my_new_index2 [003-route_to_cluster2] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster2 # which is the name from outputs.conf </CODE></PRE> <P>props.conf:</P> <PRE><CODE>[my:sourcetype1] TRANSFORMS-001-route_to_new_index_cluster2 = 001-route_to_new_index_cluster2, 003-route_to_cluster2 [my:sourcetype2] TRANSFORMS-002-route_to_new_index_cluster2 = 002-route_to_new_index_cluster2, 003-route_to_cluster2 </CODE></PRE> <P>Correct?</P> <P>Thanks!</P> Mon, 25 Mar 2019 22:14:18 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379938#M68625 ehowardl3 2019-03-25T22:14:18Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379939#M68626 <P>yep, that should work</P> Mon, 25 Mar 2019 22:16:28 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379939#M68626 MuS 2019-03-25T22:16:28Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379940#M68627 <P>except the <CODE>REGEX</CODE>, just use <CODE>.</CODE> because the <CODE>props.conf</CODE> already limits the use of the transforms to specific sourcetypes <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Mon, 25 Mar 2019 22:17:29 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379940#M68627 MuS 2019-03-25T22:17:29Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379941#M68628 <P>Ah yeah, good point. Thanks again!</P> Mon, 25 Mar 2019 22:40:28 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379941#M68628 ehowardl3 2019-03-25T22:40:28Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379942#M68629 <P>@gjanders - thanks for the info!</P> Mon, 25 Mar 2019 22:41:28 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379942#M68629 ehowardl3 2019-03-25T22:41:28Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379943#M68630 <P>@MuS, one thing that has me a little confused - since props.conf calls out the sourcetype and then routes it to cluster2, won't that catch all the data of that sourcetype instead of splitting the data and sending it to cluster2 and to the default group?</P> Tue, 26 Mar 2019 14:51:59 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379943#M68630 ehowardl3 2019-03-26T14:51:59Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379944#M68631 <P>That's where the <CODE>defaultGroup = cluster1</CODE> in <CODE>outputs.conf</CODE> kicks in, it will send ANY data to the target.</P> <P>But you can also remove the <CODE>defaultGroup = cluster1</CODE> and do something like this:</P> <P>props.conf</P> <PRE><CODE>[my:sourcetype1] TRANSFORMS-000-route_to_cluster = 000-route_to_cluster1 TRANSFORMS-001-route_to_new_index_cluster2 = 001-route_to_new_index_cluster2, 003-route_to_cluster2 [my:sourcetype2] TRANSFORMS-000-route_to_cluster = 000-route_to_cluster1 TRANSFORMS-001-route_to_new_index_cluster2 = 002-route_to_new_index_cluster2, 003-route_to_cluster2 </CODE></PRE> <P>transforms.conf</P> <PRE><CODE> [001-route_to_new_index_cluster2] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index1 [002-route_to_new_index_cluster2] DEST_KEY =_MetaData:Index REGEX = . FORMAT = my_new_index2 [000-route_to_cluster1] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster1 # which is the name from outputs.conf [003-route_to_cluster2] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = cluster2 # which is the name from outputs.conf </CODE></PRE> <P>Hope that make sense ...</P> <P>cheers, MuS</P> Tue, 26 Mar 2019 19:16:37 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379944#M68631 MuS 2019-03-26T19:16:37Z https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379945#M68632 <P>Perfect. Thanks for the clarification.</P> Wed, 27 Mar 2019 12:21:41 GMT https://community.splunk.com/t5/Getting-Data-In/Event-based-index-routing-at-indexer-layer-when-heavy-forwarder/m-p/379945#M68632 ehowardl3 2019-03-27T12:21:41Z