topic Re: Index data from a file and send to differents indexes in Getting Data In

Index data from a file and send to differents indexes

tdepablo88 — Thu, 24 Dec 2020 17:59:11 GMT

Hi everyone,

I am trying to index data from a single log file to different indexes but i can't do it, i have this data wich need to route to diferent indexes:

svr80001.xxxxxx.com [UDP: [172.22.175.102]:27869->[172.22.172.244]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (121711881) 14 days, 2:05:18.81

<UNKNOWN> [UDP: [115.100.9.100]:56090->[172.22.172.244]:162]:

I need to filter using the ipaddress, and i follow the next link https://community.splunk.com/t5/Getting-Data-In/How-to-filter-data-from-a-single-file-and-write-to-two-different/m-p/513371 but isn't work to me.

Regards, Diego

Re: Index data from a file and send to differents indexes

richgalloway — Thu, 24 Dec 2020 20:39:45 GMT

Please share the props.conf and transforms.conf settings you're using to route the events to different indexes.

Re: Index data from a file and send to differents indexes

tdepablo88 — Sun, 27 Dec 2020 23:41:24 GMT

props.conf

[cisco-prime_snmtp-traps]
TRANSFORMS-reenvioindexes= wlc_pams, aruba

transforms.conf

[wlc_pams]
REGEX= /\[UDP: \[115\.100\.9\.100\]/g
DEST_KEY = _MetaData:Index
FORMAT = wlc_pams

[aruba]
REGEX= /\[UDP: \[172\.22\.175\.102\]/g
DEST_KEY = _MetaData:Index
FORMAT = Aruba

thank you

Re: Index data from a file and send to differents indexes

richgalloway — Mon, 28 Dec 2020 13:44:43 GMT

The problem (or perhaps one of the problems) is the REGEX strings do not match the data. The events do not have the UDP address surrounded by slashes. Try these, instead.

[wlc_pams] REGEX= \[UDP: \[115\.100\.9\.100\] DEST_KEY = _MetaData:Index FORMAT = wlc_pams [aruba] REGEX= \[UDP: \[172\.22\.175\.102\] DEST_KEY = _MetaData:Index FORMAT = Aruba

Re: Index data from a file and send to differents indexes

tdepablo88 — Mon, 04 Jan 2021 16:43:33 GMT

Rich,

thanks for the help it works perfectly, now can i define a another sourcetype for the redirection, example:

[wlc_pams] REGEX= \[UDP: \[115\.100\.9\.100\] DEST_KEY = _MetaData:Index FORMAT = wlc_pams SOURCETYPE = another?

regards.

Diego

Re: Index data from a file and send to differents indexes

richgalloway — Mon, 04 Jan 2021 18:38:07 GMT

The sourcetype can be changed by specifying the proper destination key. You already have a destination key specified, however, so I'm not sure you can make both changes.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.