Deployment Architecture

How do I redirect logs from the default main index to a new index?

nls7010
Path Finder

We are trying to set up to log container logs into Splunk 6.6.3.

We have set up an index and an application with an inputs.conf file and successfully updated the Splunk forwarder with the information inside the container. However, when we see the files coming in, they appear to be ignoring the app settings that includes our index and instead are sending the ingested logs to the main index.

How do I redirect them to the correct index (not the main index)?

0 Karma

nls7010
Path Finder

Question. What belongs in the [mysourcetype] in the props.conf? Is it looking for a sourcetype value?

0 Karma

pruthvikrishnap
Contributor

You can also override your index on heavy forwarder of indexer `

On your indexer or heavy forwarder:

# etc/system/local/transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index

#etc/system/local/props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex`

also route your data https://answers.splunk.com/answers/1026/route-data-to-index-based-on-host.html.

Let me know if this helps

0 Karma

nls7010
Path Finder

I will work with my client and let you know if the redirection will work. Thank you for your reply.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@nls7010, Is your inputs.conf in app is being considered while forwarding? Suggest to check the file precedence. Try running a btool on inputs and see which configuration is considered for your log files

Happy Splunking!
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>