All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splitting up one data source into two indexes in O365

omuelle1
Communicator
‎05-31-2019 06:05 AM

Good morning,

I have a question regarding Office 365 data:

  • I have two organizations that share one O365 tenant.
  • Both organizations want to have their own Splunk O365 index and only see their data.
  • I am able to differentiate the data by domains of users.

Is there a way to write a transforms.conf or props.conf with which I could parse the data with certain domains to go to one index and data with certain domains to the other?

Thank you,

Oliver

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2019 01:00 AM

Hi omuelle1,
yiou have to write a props.conf and transforma.conf on your indexers; if you have an Heavy Forwarders (and you should have it) you have to put these files on the Heavy Forwarders.

On props.conf 

 [mysourcetype]
 TRANSFORMS-index = overrideindex

On transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = my_regex
 FORMAT = my_new_index

where my_regex is the regex that identifies the logs to forward to a different Index.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2019 01:00 AM

Hi omuelle1,
yiou have to write a props.conf and transforma.conf on your indexers; if you have an Heavy Forwarders (and you should have it) you have to put these files on the Heavy Forwarders.

On props.conf 

 [mysourcetype]
 TRANSFORMS-index = overrideindex

On transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = my_regex
 FORMAT = my_new_index

where my_regex is the regex that identifies the logs to forward to a different Index.

Bye.
Giuseppe

Reply
Solved! Jump to solution

omuelle1
Communicator
‎06-25-2019 07:56 AM

Thank you I just did that with some test data and it worked. I will need to try it as well once I have the live data.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-25-2019 08:00 AM

Hi omuelle1,
if you're satisfied by this answer, please accept and/ot upvote it.
We'll see for the next tip.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

oscar84x
Contributor
‎06-21-2019 11:59 AM

What in the actual events or data tells them apart? What about the file name? Could you provide a data sample and highlight what differentiates them?

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...