How to maintain data integrity in Splunk Index? I mean to say is there any white-listing of servers that only specific servers are allowed to forward the data to specific index?
For example: I have two indexes index_test1 and index_test2 and have 4 servers (A,B,C,D) configured to forward the data. I want only servers A and B should send the data to index_test1 and B & C should send the data to index_test2.
Sample stanza:
[monitor:////var/log/test/app/test.log]
index=index_test1
sourcetype = test_Log
source = test_log_f1
disabled = 0
Reason why I am looking for it is, lets say if someone made a typo then the intended data will be pushed to incorrect/wrong index.
Hello @sunnyb147
I think something like below will work for you:
props.conf
[host::A|B]
TRANSFORMS-datafilter = route_to_correct_index
[host::C|D]
TRANSFORMS-datafilter = route_to_correct_index2
Transforms.conf
[route_to_correct_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test1
[route_to_correct_index2]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index_test2
Place this setting on HF or Indexer