Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assign an index and sourcetype name different from forwarder in Indexers

KarunK
Contributor
‎01-31-2013 09:25 PM

Hi All,

I have a cisco edge device with Splunk forwarder (UF) embedded in it. That means index and sourcetype is already defined in UF. But in my existing Splunk indexer farm, I have to use a different index name and sourcetype name.
I cant change the CISCO device UF setting as it will a hack and also cannot change the naming convention in the Splunk farm. So somehow I have to transform the index and sourcetype names in UF to Indexer naming convention.

How can I do this ?

Thanks in Advance.

Regards

KK

Tags (1)
0 Karma
Reply

KarunK
Contributor
‎02-04-2013 10:19 PM

Hi kristian and gkanapathy,

Thanks for your answers. I have made following changes to overwrite an index, but I am getting a warning and also I cannot see the data in the new index or in old index.

Can anyone help ?

Thanks in Advance

IndexProcessor - received event for **unconfigured/disabled index='index::cdn_transaction_routed'* with source='source::/logs/service_router/service_router_10.100.110.25_20130205_054001_11063' host='host::10.100.110.25' sourcetype='sourcetype::sr_transaction' (1 missing total)*

index.conf

[cdn_transaction]
coldPath = $SPLUNK_DB/cdn_transaction/colddb
homePath = $SPLUNK_DB/cdn_transaction/db
thawedPath = $SPLUNK_DB/cdn_transaction/thaweddb

[cdn_transaction_routed]
coldPath = $SPLUNK_DB/cdn_transaction_routed/colddb
homePath = $SPLUNK_DB/cdn_transaction_routed/db
thawedPath = $SPLUNK_DB/cdn_transaction_routed/thaweddb
disabled = 0

props.conf

[source::/logs/service_router/service_router_*]
TRANSFORMS-change_sr_index=change_sr_index

transforms.conf

[change_sr_index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = index::cdn_transaction_routed
0 Karma
Reply

KarunK
Contributor
‎02-05-2013 04:21 PM

Worked Well..... Thanks Mate....

0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-05-2013 04:07 AM

I think (if I remember correctly) that it should be FORMAT = cdn_transaction_routed, i.e. without the index::

/K

Reply

kristian_kolb
Ultra Champion
‎02-01-2013 01:27 AM

gkanapathy is right, and this is where you should look for guidance:

http://docs.splunk.com/Documentation/Splunk/5.0.1/Indexer/Setupmultipleindexes#Route_specific_events...

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-01-2013 12:02 AM

The correct way to do this is to edit the configuration on the UF instance on the edge device. If that's truly impossible, you can use a set of TRANSFORMs on the indexers.

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top