Solved: How do I redirect AWS events to different indexes ...

BlueSocket · ‎03-12-2018

Hi,

I have a set of AWS inputs and I need to redirect events depending upon the names of the instances (which are in the events).
I have set up a transforms.conf to look like this:

[index_env1]
REGEX = env1
DEST_KEY = _MetaData:Index
FORMAT = env1

[index_env2]
REGEX = env2
DEST_KEY = _MetaData:Index
FORMAT = env2

In the inputs.conf, I have added a line:

TRANSFORMS-index_cloudwatch=index_env1,index_env2

When I restart Splunk, i get:

Invalid key in stanza [aws_cloudwatch://System CloudWatch_*******] in /opt/splunk/etc/apps/Splunk_TA_aws/local/inputs.conf, line 12: TRANSFORMS-index_cloudwatch (value: index_env1,index_env2)

I can't see what I am doing wrong, but is there any reason why I can't use this syntax to redirect the events to different indexes?
Is redirection of indexes not supported by AWS inputs? What else can I do?

p_gurav · ‎03-12-2018

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

View solution in original post

p_gurav · ‎03-12-2018

You have to add this line in props.conf not in inputs.conf.

<sourcetype>
TRANSFORMS-index_cloudwatch=index_env1,index_env2

Transforms.conf seems ok.

BlueSocket · ‎03-13-2018

Ooooh. I feel a proper fool, now!

How do I redirect AWS events to different indexes by the content of the events in the AWS TA?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application