- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to redirect DB table rows to different indexes...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to redirect DB table rows to different indexes based on the field?
Hi,
I have below table in my database.
Computer Application Duration
BLR0057 Calculator 30
CHN0056 MS-Word 43
DEL0078 MS-Excel 55
But I need to forward each row to different index based on Computer name.
Tried to use,
props.conf
[sourcetype::application_usage_data]
TRANSFORMS-index_extraction = index_extraction
transforms.conf
[index_extraction]
SOURCE_KEY = _raw
REGEX = .Computer="(P?\w{3}?).".*
DEST_KEY = _MetaData:Index
FORMAT = $1
WRITE_META = true
Here index names are blr, chn, del. But data is getting indexed in index name from db-inputs.conf 😞
How to achieve data routing to different indexes in DB Connect?
Regards,
Arun N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the number of different options is rather low, it might be simpler to write separate DB Connect inputs for each option, using a where clause that selects rows where the computer field starts with a certain string and sending that input to the respective index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But it will put a lot of load on the DB. We thought of fetching all rows at once.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the index for each computer already exist?
I can see an issue with this approach in the longer term - if you add a new computer to your network, but forget to create its index your data will end up in the wrong place or dropped entirely.
Clearly if you have a larger number of computers and indexes, this will become quite troublesome to manage as your environment grows.
If you must use separate indexes, you could configure different DB queries for each compute rname, and this would allow you to be on top of the 1-1 computer-index requirements.
However - why the specific requirement for separate indexes? I cant think of any good reason why you would 'need' to use different indexes - but i also know sometimes business 'needs' drive decisions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Indexes blr,chn,del are already created. We need to use separate indexes to avoid people from accessing other's data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there a privacy issues, I think i would always prefer to create 'per customer' dbx queries, rather than rely on regex to enforce my separation - It's also easier to fix in the future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Arun_N_007,
When data indexed into index from db-inputs.conf, how data looks like? Is it possible you to provide sample event (Please mask any sensitive data) ?
EDIT: If your events looks something like this Computer="BLR0057" Application="Calculator" Duration="30" after indexing then can you please try below transforms.conf on server in which DB Connect App is installed.
[index_extraction]
REGEX = Computer\=\"(\w{3}).*
DEST_KEY = _MetaData:Index
FORMAT = $1
WRITE_META = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @harsmarvania57,
I pushed above but not working 😞
Yes data will be in Computer="BLR0057" Application="Calculator" Duration="30" format only.
Regards,
Arun N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you applied configuration on server in which DB Connect App is installed and running?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Am using the single instance of Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your props.conf config is worng, it should be like this
[application_usage_data]
TRANSFORMS-index_extraction = index_extraction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did this also. Not working 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below config works perfectly fine in my environment
props.conf
[mysourcetype]
TRANSFORMS-routeall = test_route
transforms.conf
[test_route]
REGEX = Computer\=\"(\w{3}).*
DEST_KEY = _MetaData:Index
FORMAT = $1
WRITE_META = true
And after applying above configuration, restarted splunk service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes i did the same but no luck 🙂
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
