https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80927#M97117 <P>I'm glad that it works now</P> Tue, 09 Nov 2010 17:32:49 GMT chris 2010-11-09T17:32:49Z https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80924#M97114 <P>We have an indexer and two forwarders. The forwarders are installed on other syslog servers to forward their syslogs to the indexer. The indexer has 2 indexes - main and index1</P> <P>I have successfully configured Splunk via props/transforms to route syslog sent directly from a Juniper to the indexer to the "index1" index instead of the default "main" by using the following config on the indexer:</P> <P>props.conf</P> <PRE><CODE>[syslog] TRANSFORMS-syslog-NSM=syslog-NSM </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[syslog-NSM] DEST_KEY = _MetaData:Index REGEX = NSM FORMAT = index1 </CODE></PRE> <P>I am now trying to route any syslog that includes "XUS" in the host name to index1 but no matter what I try I cannot get it to work. I'm suspecting that there is relevance to the syslog being sent directly to the indexer vs syslog being forwarded to the indexer via splunk forwarder. Is this true? </P> <P>This is my latest of many attempts to get this to work. What am I missing? I understand my regex may not be correct, but I've tried more 'open' regexs and I still can't route anything coming from the forwarder. I can get other syslogs being sent directly to the indexer to route to index1, but nothing from the forwarder:</P> <P>props.conf (updated)</P> <PRE><CODE>[syslog] TRANSFORMS-syslog-NSM=syslog-NSM TRANSFORMS-syslog-vault=syslog-vault </CODE></PRE> <P>transforms.conf (updated)</P> <PRE><CODE>[syslog-NSM] DEST_KEY = _MetaData:Index REGEX = NSM FORMAT = index1 [syslog-vault] SOURCE_KEY = _MetaData:Index (have tried with/without this) DEST_KEY = _MetaData:Index REGEX = XUS FORMAT = index1 WRITE_META = true (have tried with/without this) </CODE></PRE> <P>Is there something I can do on the indexer to get this to work?..meaning...can I configure routing on the indexer for syslog received via Splunk forwarder? Or do I need to perform the routing on the forwarder itself? If so, how should I do it?</P> <P>Thanks!!</P> Sat, 30 Oct 2010 03:49:54 GMT https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80924#M97114 mmletzko 2010-10-30T03:49:54Z https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80925#M97115 <P>Hi Mmletzko</P> <P>You are right there is a difference between the messages being sent directly to the indexer and forwarded messages. It depends on whether you are using the light forwarder or the regular forwarder aswell.</P> <P>There is good wiki page that helps a lot which is <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">here (Where do I configure my Splunk settings)</A></P> <P>If I understand you correctly you have:</P> <UL> <LI>a regular forwarder and an indexer</LI> <LI>a juniper device sends messages containing "NSM" directly to the indexer </LI> <LI>other devices that send "XUS" messages to the forwarder </LI> </UL> <P>-&gt; Both messages should end up in index1</P> <P>I think this is what you need:</P> <P>On the indexer<BR /> <CODE>props.conf<BR /> [syslog]<BR /> TRANSFORMS-syslog-NSM=syslog-NSM</CODE> </P> <P><CODE>transforms.conf<BR /> [syslog-NSM]<BR /> DEST_KEY = _MetaData:Index<BR /> REGEX = NSM<BR /> FORMAT = index1</CODE></P> <P>On the forwarder<BR /> <CODE>props.conf<BR /> [syslog]<BR /> TRANSFORMS-syslog-vault=syslog-vault</CODE> </P> <P><CODE>transforms.conf<BR /> [syslog-vault]<BR /> DEST_KEY = _MetaData:Index<BR /> REGEX = XUS<BR /> FORMAT = index1</CODE></P> <P>That is almost what you had, I hope this helps</P> Mon, 01 Nov 2010 00:23:48 GMT https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80925#M97115 chris 2010-11-01T00:23:48Z https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80926#M97116 <P>Chris - THANK YOU!!!</P> <P>Looks like I danced around this, but didn't quite have it. I had the correct configuration in the transforms/props files, but I think the problem was that I had the routing configured on the forwarder (full forwarder, btw) AND the indexer at the same time. The one thing I hadn't tried was having it configured ONLY on the forwarder and not the indexer. Once I removed the settings from the indexer and then enabled them ONLY on the forwarder, it did the trick!!!</P> <P>So here are the final settings that did the trick:</P> <P><STRONG>indexer - props.conf</STRONG></P> <PRE><CODE>[syslog] TRANSFORMS-syslog-NSM=syslog-NSM </CODE></PRE> <P><STRONG>indexer - transforms.conf</STRONG></P> <PRE><CODE>[syslog-NSM] DEST_KEY = _MetaData:Index REGEX = NSM FORMAT = index1 </CODE></PRE> <P><STRONG>forwarder - props.conf</STRONG></P> <PRE><CODE>[syslog] TRANSFORMS-syslog-vault=syslog-vault </CODE></PRE> <P><STRONG>forwarder - transforms.conf</STRONG></P> <PRE><CODE>[syslog-vault] DEST_KEY = _MetaData:Index REGEX = XUS FORMAT = index1 </CODE></PRE> <P>Thanks again Chris - you restored my sanity!!</P> <P>-Matt</P> Mon, 01 Nov 2010 19:46:53 GMT https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80926#M97116 mmletzko 2010-11-01T19:46:53Z https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80927#M97117 <P>I'm glad that it works now</P> Tue, 09 Nov 2010 17:32:49 GMT https://community.splunk.com/t5/Getting-Data-In/Routing-to-index-based-on-host-etc/m-p/80927#M97117 chris 2010-11-09T17:32:49Z