Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rotuing data to specific indexes

aab5272
Engager
‎06-28-2017 07:00 AM

I have situtationn where i have cluster master which managed the indexer cluster . I am getiing data in load balancing way based on autoLBfrequency . Now i want to route data at a particular index , do iahve to make change in props.conf and tansform.conf at the master or at each peer indexer ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

WalshyB
Path Finder
‎06-28-2017 07:18 AM

On the Cluster Master, the app is in /etc/master-apps right?

Change the props, transforms in the relevant app and then push the cluster bundle - ./splunk apply cluster-bundle

This will push the new bundle to the cluster members. If you need information on the filtering, please let me know

Example on filtering:
within transforms

[index_filter_example]
REGEX = regex for what you want to match
FORMAT = index name
DEST_KEY = _MetaData:Index

within props
[sourcetype]
TRANSFORMS-index_filters = index_filter_example, .....

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2017 08:09 AM

Hi aab5272,
sorry but I don't understand yyour need: are you speaking about forwarding data to indexers and do you want to send data to a clustered index?
in this case you have only to specify index in your inputs.conf file on forwarders.

If instead you want to send logs to a non clustered index that is present in only one Indexer, you have to use selective indexing (see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

aab5272
Engager
‎06-28-2017 09:21 AM

yes My cluster is indexer cluster . and other question is that how does splunk handle creation of indexes?
like ket say i have multisite indexer cluster where would i create index ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2017 11:50 PM

In indexers cluster, indexes are created on the master node, otherwise they aren't replicated.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

WalshyB
Path Finder
‎06-28-2017 07:18 AM

On the Cluster Master, the app is in /etc/master-apps right?

Change the props, transforms in the relevant app and then push the cluster bundle - ./splunk apply cluster-bundle

This will push the new bundle to the cluster members. If you need information on the filtering, please let me know

Example on filtering:
within transforms

[index_filter_example]
REGEX = regex for what you want to match
FORMAT = index name
DEST_KEY = _MetaData:Index

within props
[sourcetype]
TRANSFORMS-index_filters = index_filter_example, .....

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...