topic Re: Change index depending on host in Getting Data In

Change index depending on host

pbalbasdtt — Wed, 30 Sep 2020 05:01:13 GMT

Hi all,

I'm trying to split Windows events into different indexes at index time depending on the host which is sending them. Below there are my props.conf and transforms.conf

props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-set_new_index = set_index_new
transforms.conf
[set_index_new]
REGEX = MY.HOSTNAME.12.COM
FORMAT = windows-new
DEST_KEY = _MetaData:Index

I tried with different combinations on the regex but none of them worked. Can someone tell me what could be wrong? Thanks in advance.

Best.

Re: Change index depending on host

harsmarvania57 — Wed, 15 Apr 2020 14:29:36 GMT

Hi,

On which splunk instance, have you configured above props.conf and transforms.conf ? It should be on first Splunk Enterprise instance from Universal Forwarder. For example: If UF sends data to Heavy Forwarder and then it goes to Indexer then you need to configure props & transforms on Heavy Forwarder. If UF sends data directly to Indexer then you need to configure props & transforms on Indexer.

Re: Change index depending on host

pbalbasdtt — Wed, 15 Apr 2020 15:03:21 GMT

Hi,

Thanks for your response. I have a UF sending logs to indexers. I deployed those .conf files on indexers but it's not indexing logs on the new index, and it is using the old one.

Re: Change index depending on host

harsmarvania57 — Wed, 15 Apr 2020 15:19:31 GMT

Have you restarted splunk on Indexer after adding those props/transforms ?

Re: Change index depending on host

pbalbasdtt — Wed, 15 Apr 2020 15:43:30 GMT

I deployed the changes via Cluster Master, so I assume no restart on IDX is required, is that right?

Re: Change index depending on host

harsmarvania57 — Wed, 15 Apr 2020 15:48:19 GMT

Yes if you deployed from CM then it will automatically take care. Additionally only new data will go into new index not existing data. If that is still not working then I'll suggest to provide some sample data (Mask sensitive data)

Re: Change index depending on host

DalJeanis — Wed, 15 Apr 2020 16:12:05 GMT

1) Your transforms does not say which field you are trying to match (SOURCE_KEY). If you don't tell it that, then it probably is checking the entire _raw, iirc.

2) If you mean to match only the character ., then your regex should escape the character using \.

Re: Change index depending on host

pbalbasdtt — Thu, 16 Apr 2020 13:45:46 GMT

The 2nd one works!!! Thanks a lot for your answer