Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rotuing data to specific indexes

aab5272
Engager
‎06-28-2017 07:00 AM

I have situtationn where i have cluster master which managed the indexer cluster . I am getiing data in load balancing way based on autoLBfrequency . Now i want to route data at a particular index , do iahve to make change in props.conf and tansform.conf at the master or at each peer indexer ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

WalshyB
Path Finder
‎06-28-2017 07:18 AM

On the Cluster Master, the app is in /etc/master-apps right?

Change the props, transforms in the relevant app and then push the cluster bundle - ./splunk apply cluster-bundle

This will push the new bundle to the cluster members. If you need information on the filtering, please let me know

Example on filtering:
within transforms

[index_filter_example]
REGEX = regex for what you want to match
FORMAT = index name
DEST_KEY = _MetaData:Index

within props
[sourcetype]
TRANSFORMS-index_filters = index_filter_example, .....

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2017 08:09 AM

Hi aab5272,
sorry but I don't understand yyour need: are you speaking about forwarding data to indexers and do you want to send data to a clustered index?
in this case you have only to specify index in your inputs.conf file on forwarders.

If instead you want to send logs to a non clustered index that is present in only one Indexer, you have to use selective indexing (see http://docs.splunk.com/Documentation/Splunk/6.6.1/Forwarding/Routeandfilterdatad).

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

aab5272
Engager
‎06-28-2017 09:21 AM

yes My cluster is indexer cluster . and other question is that how does splunk handle creation of indexes?
like ket say i have multisite indexer cluster where would i create index ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-28-2017 11:50 PM

In indexers cluster, indexes are created on the master node, otherwise they aren't replicated.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

WalshyB
Path Finder
‎06-28-2017 07:18 AM

On the Cluster Master, the app is in /etc/master-apps right?

Change the props, transforms in the relevant app and then push the cluster bundle - ./splunk apply cluster-bundle

This will push the new bundle to the cluster members. If you need information on the filtering, please let me know

Example on filtering:
within transforms

[index_filter_example]
REGEX = regex for what you want to match
FORMAT = index name
DEST_KEY = _MetaData:Index

within props
[sourcetype]
TRANSFORMS-index_filters = index_filter_example, .....

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...