topic Re: Transformation to index events to different index not working in Splunk Search

Transformation to index events to different index not working

markconlin — Wed, 10 Jan 2018 19:16:06 GMT

Goal
I wish to place some events into a longer living index "staging-boeing-audit" for audit purposes.
All other events I wish to continue to be indexed as before.

What I have tried
I fabricated a simple example to prove this method will work.

I added a TRANSFORMS-"name" line to my props.conf for a test sourcetype
I added a transforms.conf to regex some events into a new index
I used oneshot to place a test file into Splunk

What happened
All data was placed into the original index "marktransform1"
No events were matched by the transform and thus the target index "staging-boeing-audit" is empty.

My props.conf

root@myhost:/opt/splunk/etc/system/local# cat props.conf
[mectest]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = info.created
TIME_FORMAT = %Y-%d-%m %H:%M:%S.%3Q
KV_MODE= none
AUTO_KV_JSON= true
category = Custom
description = added via ui
disabled = false
pulldown_type = 1
TRANSFORMS-routing = route_boeing

My transforms.conf

root@myhost:/opt/splunk/etc/system/local# cat tranforms.conf
[route_boeing]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = staging-boeing-audit

My oneshot command

root@myhost:/opt/splunk/bin# ./splunk add oneshot ulfs.log -sourcetype mectest -index marktransform1

Sample from ulfs.log file

root@myhost:/opt/splunk/bin# tail -2 ulfs.log
{"context": {}, "info": {"name": "starwood.core", "msg": "Got rate from Starwood", "levelname": "INFO", "levelno": 20, "pathname": "/home/ubuntu/envs/airborne/src/tune/tune/utils.py", "filename": "utils.py", "module": "utils", "exc_info": null, "exc_text": null, "stack_info": null, "lineno": 45, "funcName": "debug", "created": "2018-01-10 17:52:12.253", "msecs": 252.66528129577637, "relativeCreated": 33089947.247982025, "thread": 140501375943792, "threadName": "DummyThread-686", "processName": "MainProcess", "process": 21272, "currency": "DKK", "event_type": "get_rate", "message_type": "starwood", "content_type": "profiling", "time": 0.0021333694458007812, "message": "Got rate from Starwood", "asctime": "2018-01-10 09:52:12,252", "loggername": "starwood.core"}}
{"context": {}, "info": {"name": "tune.memory", "msg": "GC status", "levelname": "DEBUG", "levelno": 10, "pathname": "/home/ubuntu/envs/airborne/src/tune/tune/memory.py", "filename": "memory.py", "module": "memory", "exc_info": null, "exc_text": null, "stack_info": null, "lineno": 49, "funcName": "gc_monitor", "created": "2018-01-10 17:52:33.135", "msecs": 135.5295181274414, "relativeCreated": 33110830.112218857, "thread": 140501389641576, "threadName": "DummyThread-1081", "processName": "MainProcess", "process": 22337, "current_collections_count": [86, 1, 30], "current_frames": 5, "enabled": true, "garbage_count": 0, "gc_stats": [{"collections": 26842, "collected": 5718217, "uncollectable": 0}, {"collections": 2440, "collected": 2079011, "uncollectable": 0}, {"collections": 101, "collected": 1168870, "uncollectable": 0}], "max_rss": 351032, "total_objects": 326350, "message": "GC status", "asctime": "2018-01-10 09:52:33,135", "loggername": "tune.memory"}}

Re: Transformation to index events to different index not working

micahkemp — Wed, 10 Jan 2018 19:20:18 GMT

Did you restart splunk after making those changes?

Re: Transformation to index events to different index not working

markconlin — Wed, 10 Jan 2018 19:30:07 GMT

yes I did restart

Re: Transformation to index events to different index not working

markconlin — Wed, 10 Jan 2018 19:31:57 GMT

I have tried other regex as well like REGEX = .*

Re: Transformation to index events to different index not working

somesoni2 — Wed, 10 Jan 2018 19:51:06 GMT

Did you place your props.conf and transforms.conf on the instance where data parsing happens? It'll either Indexer OR heavy forwarder (whichever comes first in data flow). Also, I believe REGEX = . you're using for testing (it'll route all events), when test is done, you'd put actual regex matching required events?

Re: Transformation to index events to different index not working

micahkemp — Wed, 10 Jan 2018 19:58:54 GMT

That's a good question. If this is a standalone instance, running oneshot on the same splunk instance that props/transforms are defined should be sufficient. But if this server is a universal forwarder props/transforms need to be on the indexer (or heavy forwarder) it is forwarding to.

Re: Transformation to index events to different index not working

cpetterborg — Wed, 10 Jan 2018 20:00:31 GMT

Is there the possibility that you have another route_boeing in another transforms.conf?

Re: Transformation to index events to different index not working

markconlin — Thu, 11 Jan 2018 02:26:55 GMT

I am testing this on my splunk indexer/search head not on an instance with a forwarder sending logs.

Re: Transformation to index events to different index not working

markconlin — Thu, 11 Jan 2018 02:29:06 GMT

I am aware my regex matches all events but I wanted to make sure the problem was not in the regex itself and .* and . were the two dumbest simplest ways to try it I could think of.

Re: Transformation to index events to different index not working

markconlin — Thu, 11 Jan 2018 02:29:26 GMT

no, not possible

Re: Transformation to index events to different index not working

micahkemp — Thu, 11 Jan 2018 02:32:21 GMT

Paste the output of:

./bin/splunk btool transforms list route_boeing --debug

./bin/splunk btool props list mectest --debug

Re: Transformation to index events to different index not working

gfuente — Thu, 11 Jan 2018 12:40:18 GMT

Hello

There is a typo in the transforms file name:

 root@myhost:/opt/splunk/etc/system/local# cat tranforms.conf

It should be: transforms.conf

Regards

Re: Transformation to index events to different index not working

micahkemp — Thu, 11 Jan 2018 15:18:11 GMT

Good catch. I suggest converting this to an answer so that if it helps the poster find the root cause it can be accepted.