Data Routing to an Index based on Sourcetype

Alerting

Hello Everyone,

I am integrating logs from trend micro portable security via HEC.

As per the user guide of trend micro they need a HEC token that should have access to 5 indexes namely(sacnnedlog,detectedlog,applicationinfo,updateinfo,assetinfo) the names should not be changed as it will not be able to send logs .

So I have created a HEC token with sourctype=trendmicro and have given access to all 5 indexes created on HF.

Now the catch is in our splunk environment we cannot have 5 indexes for one source thus we have created 5 indexes at HF (same name as above) and we are trying to route all logs for sourcetype trendmicro to an index named app_trendmicro (created on Cluster master).

i have used following props and transforms

In props:-

[trendmicro]

TRANSFORMS-routing = trendmicro_routing

In transforms:-

[trendmicro_routing]

DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = app_trendmicro

however we are not able to receive logs and getting error in internal index as

Received event for unconfigured/disabled/deleted index

Get Updates on the Splunk Community!

Data Routing to an Index based on Sourcetype

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Data Routing to an Index based on Sourcetype

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk