Archive

forward events to multiple indexers

Communicator

hi everyone,

I have web server events.
I want to forward specific events that contain digits 404 to index1 and remaining event to index2.
below is an example event:
12.130.60.4 - - [13/Jan/2016 21:03:09:149] "GET /category.screen?category_id=GIFTS&JSESSIONID=SD9SL6FF8ADFF9 HTTP 1.1" 404 3585 "http://www.myflowershop.com/category.screen?category_id=GIFTS" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 976

Please advise.

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Try this:

In props.conf:

[mysourcetype]
TRANSFORMS-setIndex = setindex1, setindex2

In transforms.conf:

[setindex1]
DEST_KEY = _MetaData:Index
REGEX = 404
FORMAT = index1

[setindex2]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = index2
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Communicator

hi
thanks for your kind support. yesterday I achieved that. below is my working config.

inputs.conf
[monitor:///splunkfiles/lxxx/access_combined.log]
sourcetype = access_combined
index = webindex

props.conf
[access_combined]
TRANSFORMS-local = notfound

Transforms.conf

[notfound]
REGEX = "\s(404)\s
DEST_KEY = _MetaData:Index
FORMAT = notfoundindex

Initially, I used your approach. but it did not work with me.

can you please explain line 8 in transforms.conf.

lastly, we task is to move the events to corresponding indexes before getting indexed(save license). Is this method correct?

0 Karma