All Apps and Add-ons

Splitting up one data source into two indexes in O365

omuelle1
Communicator

Good morning,

I have a question regarding Office 365 data:

  • I have two organizations that share one O365 tenant.
  • Both organizations want to have their own Splunk O365 index and only see their data.
  • I am able to differentiate the data by domains of users.

Is there a way to write a transforms.conf or props.conf with which I could parse the data with certain domains to go to one index and data with certain domains to the other?

Thank you,

Oliver

0 Karma
1 Solution

gcusello
Esteemed Legend

Hi omuelle1,
yiou have to write a props.conf and transforma.conf on your indexers; if you have an Heavy Forwarders (and you should have it) you have to put these files on the Heavy Forwarders.

On props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

On transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = my_regex
 FORMAT = my_new_index

where my_regex is the regex that identifies the logs to forward to a different Index.

Bye.
Giuseppe

View solution in original post

gcusello
Esteemed Legend

Hi omuelle1,
yiou have to write a props.conf and transforma.conf on your indexers; if you have an Heavy Forwarders (and you should have it) you have to put these files on the Heavy Forwarders.

On props.conf

 [mysourcetype]
 TRANSFORMS-index = overrideindex

On transforms.conf

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = my_regex
 FORMAT = my_new_index

where my_regex is the regex that identifies the logs to forward to a different Index.

Bye.
Giuseppe

omuelle1
Communicator

Thank you I just did that with some test data and it worked. I will need to try it as well once I have the live data.

0 Karma

gcusello
Esteemed Legend

Hi omuelle1,
if you're satisfied by this answer, please accept and/ot upvote it.
We'll see for the next tip.
Bye.
Giuseppe

0 Karma

oscar84x
Contributor

What in the actual events or data tells them apart? What about the file name? Could you provide a data sample and highlight what differentiates them?

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...