All Apps and Add-ons

How do I redirect AWS events to different indexes by the content of the events in the AWS TA?

BlueSocket
Communicator

Hi,

I have a set of AWS inputs and I need to redirect events depending upon the names of the instances (which are in the events).
I have set up a transforms.conf to look like this:

[index_env1]
REGEX = env1
DEST_KEY = _MetaData:Index
FORMAT = env1

[index_env2]
REGEX = env2
DEST_KEY = _MetaData:Index
FORMAT = env2

In the inputs.conf, I have added a line:

TRANSFORMS-index_cloudwatch=index_env1,index_env2

When I restart Splunk, i get:

Invalid key in stanza [aws_cloudwatch://System CloudWatch_*******] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 12: TRANSFORMS-index_cloudwatch (value: index_env1,index_env2)

I can't see what I am doing wrong, but is there any reason why I can't use this syntax to redirect the events to different indexes?
Is redirection of indexes not supported by AWS inputs? What else can I do?

0 Karma
1 Solution

p_gurav
Champion

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

View solution in original post

p_gurav
Champion

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

BlueSocket
Communicator

Ooooh. I feel a proper fool, now!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...