Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Routing data to a specific index from a LWF

smithjnick
Path Finder
‎04-19-2013 10:09 AM

Tried a number of variations here but to no avail.

Situation: I have a number of UFs sending data onto a LWF which then sends all data onto my indexer. On my indexer i have created an index to store the data. I am trying to route all the data into this new index from the LWF and have had little luck so far.

On the LWF i placed the following global stanza in inputs.conf:
[default]
index=mynewindex

From what i have read, this should direct all data coming in from all the UF's into mynewindex sitting on the indexer. This does not work? I swapped out the LWF with a HF and still the same result? Am i missing something from my conf files?

This did work if i added the above stanza to the inputs.conf file located on the UF's but this is not the way i want to do it. I just want one entry to manage on my LWF/HF that can achieve the same result.

I appreciate any guidance.

0 Karma
Reply

Ayn
Legend
‎04-19-2013 11:11 AM

Like you say, this only works in inputs.conf on the Splunk instance that originally picks up the event data. To change the index on a forwarding Splunk instance between the UF and the indexer, this forwarder needs to be a heavy forwarder so you can parse and rewrite the events' metadata. Once you have that, you add settings in props.conf and transforms.conf to rewrite which index events should go to. To create a default rule, this should do:

props.conf:

[default]
TRANSFORMS-index = setdefaultindex

transforms.conf:

[setdefaultindex]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mynewindex
0 Karma
Reply

Ayn
Legend
‎04-30-2013 12:13 PM

  1. Use a SOURCE_KEY match in your setdefaultindex transform.

    SOURCE_KEY = _MetaData:Index
    REGEX = indexyouwantthistoapplyto
    DEST_KEY = _MetaData:Index
    FORMAT = mynewindex

  2. It's a default rule, so it would rewrite everything.

0 Karma
Reply

smithjnick
Path Finder
‎04-30-2013 06:53 AM

Couple of q's on this:

1 - I only wish to receive UF win events into 'mynewindex' and not the splunkd stuff from the HF. What would be the best way to achieve this? Do i need splunkd info? If so can i redirect somewhere else?

2 - Would your solution also redirect syslogs into 'mynewindex' or does it just concern itself with tcp9997 data?

thanks
nick

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...