How do I redirect logs from the default main index...

nls7010 · ‎09-28-2018

We are trying to set up to log container logs into Splunk 6.6.3.

We have set up an index and an application with an inputs.conf file and successfully updated the Splunk forwarder with the information inside the container. However, when we see the files coming in, they appear to be ignoring the app settings that includes our index and instead are sending the ingested logs to the main index.

How do I redirect them to the correct index (not the main index)?

nls7010 · ‎10-03-2018

Question. What belongs in the [mysourcetype] in the props.conf? Is it looking for a sourcetype value?

pruthvikrishnap · ‎09-28-2018

You can also override your index on heavy forwarder of indexer `

On your indexer or heavy forwarder:

# etc/system/local/transforms.conf
[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = my_new_index

#etc/system/local/props.conf
[mysourcetype]
TRANSFORMS-index = overrideindex`

also route your data https://answers.splunk.com/answers/1026/route-data-to-index-based-on-host.html.

Let me know if this helps

nls7010 · ‎10-02-2018

I will work with my client and let you know if the redirection will work. Thank you for your reply.

renjith_nair · ‎09-28-2018

@nls7010, Is your inputs.conf in app is being considered while forwarding? Suggest to check the file precedence. Try running a btool on inputs and see which configuration is considered for your log files

---
What goes around comes around. If it helps, hit it with Karma 🙂

How do I redirect logs from the default main index to a new index?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!