Alerting

Data Routing to an Index based on Sourcetype

bhavneeshvohra
Engager

Hello Everyone,

I am integrating logs from trend micro portable security  via HEC.

As per the user guide of trend micro they need a HEC token that should have access to 5 indexes namely(sacnnedlog,detectedlog,applicationinfo,updateinfo,assetinfo) the names should not be changed as it will not be able to send logs .

So I have created a HEC token with sourctype=trendmicro and have given access to all 5 indexes created on HF.

Now the catch is in our splunk environment we cannot have 5 indexes for one source thus we have created 5 indexes at HF (same name as above) and we are trying to route all logs for sourcetype trendmicro to an index named app_trendmicro (created on Cluster master).

 i have used following props and transforms

In props:-

[trendmicro]

TRANSFORMS-routing = trendmicro_routing

In transforms:-

[trendmicro_routing]

DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = app_trendmicro

however we are  not able to receive logs and getting error in internal index  as

Received event for unconfigured/disabled/deleted index

 

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!