https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499805#M85187 <P>Hi,<BR /> I am working on OS log onboarding data under multiple hostname folders and these hostname folders are located at same file path.<BR /> My plan is to dynamically onboard these logs to indexes based on relevant hostname with dynamic sourcetype set based on filename text.</P> <P>My logs directory structure:<BR /> <CODE>\opt\myAPP\host1\filename_type1.log</CODE><BR /> <CODE>\opt\myAPP\host2\filename_type2.log</CODE><BR /> <CODE>\opt\myAPP\host3\filename_type3.log</CODE></P> <P>Expected index name from foldername: <BR /> <CODE>indexname_host1</CODE><BR /> <CODE>indexname_host2</CODE><BR /> <CODE>indexname_host3</CODE></P> <P>Expected sourcetype name from filename :<BR /> <CODE>sourcetype_type1</CODE><BR /> <CODE>sourcetype_type2</CODE><BR /> <CODE>sourcetype_type3</CODE></P> <P>Following are the configuration am using at inputs.conf , where index=route is just placeholder and no such index is created:<BR /> `[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_1<BR /> whitelist = (host1|host4|host5)</P> <P>[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_2<BR /> whitelist = (host2)</P> <P>[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_3<BR /> whitelist = (host3)`</P> <P>At props.conf<BR /> `[reroute_1]<BR /> TRANSFORMS-sourcetype = overridesourcetype1<BR /> TRANSFORMS-index = overrideindex</P> <P>[reroute_2]<BR /> TRANSFORMS-sourcetype = overridesourcetype2<BR /> TRANSFORMS-index = overrideindex</P> <P>[reroute_3]<BR /> TRANSFORMS-sourcetype = overridesourcetype3<BR /> TRANSFORMS-index = overrideindex<BR /> <CODE><BR /> at transforms.conf :<BR /> </CODE>[overridesourcetype1]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overridesourcetype2]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overridesourcetype3]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overrideindex]<BR /> SOURCE_KEY = MetaData:Source<BR /> REGEX = source::\/opt\/myAPP\/(\w+).*<BR /> DEST_KEY = <EM>MetaData:Index<BR /> FORMAT = index</EM>$1`</P> <P>However, all the log files are indexed into the index="indexname_host3".</P> <P>Is there any way to route this as mentioned under 'Expected'.</P> <P>Kindly help...</P> Wed, 30 Sep 2020 03:13:31 GMT harshal_chakran 2020-09-30T03:13:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499805#M85187 <P>Hi,<BR /> I am working on OS log onboarding data under multiple hostname folders and these hostname folders are located at same file path.<BR /> My plan is to dynamically onboard these logs to indexes based on relevant hostname with dynamic sourcetype set based on filename text.</P> <P>My logs directory structure:<BR /> <CODE>\opt\myAPP\host1\filename_type1.log</CODE><BR /> <CODE>\opt\myAPP\host2\filename_type2.log</CODE><BR /> <CODE>\opt\myAPP\host3\filename_type3.log</CODE></P> <P>Expected index name from foldername: <BR /> <CODE>indexname_host1</CODE><BR /> <CODE>indexname_host2</CODE><BR /> <CODE>indexname_host3</CODE></P> <P>Expected sourcetype name from filename :<BR /> <CODE>sourcetype_type1</CODE><BR /> <CODE>sourcetype_type2</CODE><BR /> <CODE>sourcetype_type3</CODE></P> <P>Following are the configuration am using at inputs.conf , where index=route is just placeholder and no such index is created:<BR /> `[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_1<BR /> whitelist = (host1|host4|host5)</P> <P>[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_2<BR /> whitelist = (host2)</P> <P>[monitor:///opt/myAPP/.../*.log]<BR /> host_segment = 3<BR /> index = route<BR /> sourcetype = reroute_3<BR /> whitelist = (host3)`</P> <P>At props.conf<BR /> `[reroute_1]<BR /> TRANSFORMS-sourcetype = overridesourcetype1<BR /> TRANSFORMS-index = overrideindex</P> <P>[reroute_2]<BR /> TRANSFORMS-sourcetype = overridesourcetype2<BR /> TRANSFORMS-index = overrideindex</P> <P>[reroute_3]<BR /> TRANSFORMS-sourcetype = overridesourcetype3<BR /> TRANSFORMS-index = overrideindex<BR /> <CODE><BR /> at transforms.conf :<BR /> </CODE>[overridesourcetype1]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overridesourcetype2]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overridesourcetype3]<BR /> SOURCE_KEY = MetaData:Source<BR /> DEST_KEY = MetaData:Sourcetype<BR /> REGEX = source::\/opt\/myAPP\/\w+\/filename_(\w+).*<BR /> FORMAT = sourcetype::sourcetype_$1</P> <P>[overrideindex]<BR /> SOURCE_KEY = MetaData:Source<BR /> REGEX = source::\/opt\/myAPP\/(\w+).*<BR /> DEST_KEY = <EM>MetaData:Index<BR /> FORMAT = index</EM>$1`</P> <P>However, all the log files are indexed into the index="indexname_host3".</P> <P>Is there any way to route this as mentioned under 'Expected'.</P> <P>Kindly help...</P> Wed, 30 Sep 2020 03:13:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499805#M85187 harshal_chakran 2020-09-30T03:13:31Z https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499806#M85188 <P>You don't need 3 separate monitors here, just create one and check with following configurations.</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>[monitor:///opt/myAPP/.../*.log] host_segment = 3 index = route sourcetype = reroute_1 </CODE></PRE> <P><STRONG>props.conf:</STRONG></P> <PRE><CODE>[reroute_1] TRANSFORMS-index_routing = route_to_index TRANSFORMS-sourcetype_routing = route_to_sourcetype </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[route_to_index] SOURCE_KEY = MetaData:Host REGEX = host::(.*) DEST_KEY = _MetaData:Index FORMAT = indexname_$1 [route_to_sourcetype] SOURCE_KEY = MetaData:Host REGEX = host::(.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype_$1 </CODE></PRE> Tue, 03 Dec 2019 06:42:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499806#M85188 manjunathmeti 2019-12-03T06:42:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499807#M85189 <P>Hi @harshal_chakranarayan,<BR /> remember that all the knowledge objects in Splunk are related to sourcetype, so if you have different sourcetypes you cannot use (or it's very difficoult) field extractions, eventtypes, tags, etc...; this means that it isn't a good idea to use different sourcetypes!</P> <P>At the same time, why do you want to put logs from hosts in different indexes?<BR /> Usually indexes are choosen based on retention policies and access right, eventually based on quantity of data (e.g. large data flows aren't stored in indexes together with few data flows), not other.</P> <P>In other words, Splunk isn't a database and usually logs are stored in indexes which common retention policies and access rights using a limited number of sourcetypes that permits to manage knowledge objects.<BR /> Logs are searcheable using all their fields like sourcetype host and others.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 03 Dec 2019 08:33:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-route-logs-uto-multiple-indexes-and/m-p/499807#M85189 gcusello 2019-12-03T08:33:33Z