topic Re: Data Redirection Issue in Installation

Data Redirection Issue

daniel333 — Sat, 12 Jan 2019 02:02:30 GMT

All,

I am getting logs into an existing Splunk installation with
index=wrong sourcetype=wayoutofdate

that data needs to continue as is. There are users counting on those logs as they are . I'd like to send a second copy of these logs to a new set of indexers with
index=correct sourcetype=correctsourctype

I am not sure how to make the three transform changes without breaking what already exists off my heavy forwarders. Any help?

Re: Data Redirection Issue

woodcock — Sat, 12 Jan 2019 05:23:28 GMT

The easiest way is to create a symlink to the directory where the files are now ( ln -s current_directory symlink_directory ) and put a second monitor stanza pointed at the new directory. The downside is double the work on the forwarder and double the license cost.

The other way, which is extremely fragile and also creates much latency but has no license cost, is to use copy it into a summary index with a populating search that is scheduled to run all the time.

Re: Data Redirection Issue

MousumiChowdhur — Sat, 12 Jan 2019 05:25:39 GMT

Hi @daniel333 ,

Could you please share the outputs.conf stanza you have currently?

Thank You.

Re: Data Redirection Issue

ledion — Sun, 13 Jan 2019 05:39:46 GMT

You should be able to trivially clone the data into the right index/sourcetype and much much more using Cribl - check out this blog post for an example of how to clone data.