Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I override an index name at indexer?

khin
Explorer
‎07-07-2022 06:50 PM

Hi, I have a set up where an UF is sending data into HF. From HF, the data is supposedly to be sent to two different indexers with different indexes. For example, indexer01 receives the data with indexA while indexer02 receives the same data with indexB. 

This is what I have tried so far, but not working.  However the data flow is correct and sending the same data to both indexers with the predefined indexA from UF.

inputs.conf (UF)

[monitor:///home/name/samplelogs]
disabled = false
index = indexA
sourcetype = sourcetypeA

inputs.conf (HF)

[splunktcp://9997]

outputs.conf (HF)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

inputs.conf (indexer02)

[splunktcp://9997]
index=indexA
queue=parsingQueue

props.conf (indexer02)

[sourcetypeA] (or) [host::UF_hostname] (or) [source::/home/name/samplelogs]
TRANSFORMS-index = overrideindex

transforms.conf (indexer02)

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = indexB

 Any help would be appreciated!  Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 09:19 PM

You can't overwrite the index at indexer level in your case. Data is parsed st HF level and indexers only receive it and write to indexes, they don't process it anymore. An event is only processed once - on the first "heavy" component in event's path.

So if you want to send the event to different indexes on different indexers you'd have to do something more complicated - use CLONE_SOURCETYPE to duplicate an event with a new sourcetype and for that sourcetype overwrite an index, probably overwrite sourcetype back to the original one and route to proper output.

Why would you want to send the event to two different indexes on two different indexers in the first place? It's gonna count twice against your licenses.

0 Karma
Reply

khin
Explorer
‎07-07-2022 11:50 PM

Hi PickleRick, thank you for the fast reply.

It is because the two indexers are from different environments and they want their indexes to be named accordingly.

Could you elaborate further on cloning the sourcetype? An example will be a lot of help. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-08-2022 01:35 AM

I haven't used CLONE_SOURCETYPE myself (didn't have the need for that).

But you can read about it here: https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

 

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...