https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453050#M78487 <P>I tried that, and it unfortunately didn't work. I modified the transforms.conf in the cluster master's directory: $SPLUNK_HOME\etc\master-apps_cluster\local\</P> <P>and pushed the configuration to the two indexers, i checked and made sure the config files were there. I cannot figure out why it isn't working.</P> Mon, 23 Jul 2018 17:04:19 GMT zayers2 2018-07-23T17:04:19Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453048#M78485 <P>We have radius servers that need to be routed to a specific index. I have written the props.conf and transforms.conf Stanzas and I cannot get them to work. Our indexers are clustered and I made the changes to the .conf files on the cluster master in the directory:</P> <PRE><CODE>$SPLUNK_HOME\etc\master-apps\_cluster\local\ </CODE></PRE> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[host::coradius.*] TRANSFORMS-index = coradius_index_transform </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[coradius_index_transform] SOURCE_KEY = _MetaData:Host REGEX = ^host::(coradius.*)$ DEST_KEY = _MetaData:Index FORMAT = radius </CODE></PRE> <P>Even after making those changes there are no events in the index. I need some help figuring out why the events from the specific hosts aren't routing to the correct index.</P> Fri, 20 Jul 2018 14:39:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453048#M78485 zayers2 2018-07-20T14:39:57Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453049#M78486 <P>Your transforms.conf stanza should be like this</P> <PRE><CODE>[coradius_index_transform] SOURCE_KEY = MetaData:Host REGEX = ^coradius.*$ DEST_KEY = _MetaData:Index FORMAT = radius </CODE></PRE> Fri, 20 Jul 2018 17:47:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453049#M78486 somesoni2 2018-07-20T17:47:23Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453050#M78487 <P>I tried that, and it unfortunately didn't work. I modified the transforms.conf in the cluster master's directory: $SPLUNK_HOME\etc\master-apps_cluster\local\</P> <P>and pushed the configuration to the two indexers, i checked and made sure the config files were there. I cannot figure out why it isn't working.</P> Mon, 23 Jul 2018 17:04:19 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453050#M78487 zayers2 2018-07-23T17:04:19Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453051#M78488 <P>What kind of forwarders do you have in your environment? This settings needs to be applied to place/instance where data parsing happens, so if you're using heavy forwarder (Splunk Enterprise instance as forwarder) OR heavy Intermediate Forwarder (Splunk Enterprise instance which receives data from Universal Forwarder and send it to Indexers), then this should be applied there.</P> Mon, 23 Jul 2018 17:38:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453051#M78488 somesoni2 2018-07-23T17:38:51Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453052#M78489 <P>We are using the Universal Forwarder on our servers and sending them to an indexer. The indexer is where the data parsing takers place. </P> Mon, 23 Jul 2018 18:09:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453052#M78489 zayers2 2018-07-23T18:09:50Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453053#M78490 <P>Since your transforms is applied to specified hosts already, give this a try.<BR /> props.conf</P> <PRE><CODE>[host::coradius*] TRANSFORMS-index = coradius_index_transform </CODE></PRE> <P>transforms.conf</P> <PRE><CODE> [coradius_index_transform] REGEX = . DEST_KEY = _MetaData:Index FORMAT = radius </CODE></PRE> Mon, 23 Jul 2018 18:22:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453053#M78490 somesoni2 2018-07-23T18:22:34Z https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453054#M78491 <P>That solved it! Thank you very much for your input. </P> Mon, 23 Jul 2018 18:58:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-events-not-routing-to-specific-index-based-on-host/m-p/453054#M78491 zayers2 2018-07-23T18:58:33Z