Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I override an index name at indexer?

khin
Explorer
‎07-07-2022 06:50 PM

Hi, I have a set up where an UF is sending data into HF. From HF, the data is supposedly to be sent to two different indexers with different indexes. For example, indexer01 receives the data with indexA while indexer02 receives the same data with indexB. 

This is what I have tried so far, but not working.  However the data flow is correct and sending the same data to both indexers with the predefined indexA from UF.

inputs.conf (UF)

[monitor:///home/name/samplelogs]
disabled = false
index = indexA
sourcetype = sourcetypeA

inputs.conf (HF)

[splunktcp://9997]

outputs.conf (HF)

[tcpout]
defaultGroup = indexer01, indexer02
[tcpout:indexer01]
server=indexer01_IP
[tcpout:indexer02]
server=indexer02_IP

inputs.conf (indexer02)

[splunktcp://9997]
index=indexA
queue=parsingQueue

props.conf (indexer02)

[sourcetypeA] (or) [host::UF_hostname] (or) [source::/home/name/samplelogs]
TRANSFORMS-index = overrideindex

transforms.conf (indexer02)

[overrideindex]
DEST_KEY =_MetaData:Index
REGEX = .
FORMAT = indexB

 Any help would be appreciated!  Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-07-2022 09:19 PM

You can't overwrite the index at indexer level in your case. Data is parsed st HF level and indexers only receive it and write to indexes, they don't process it anymore. An event is only processed once - on the first "heavy" component in event's path.

So if you want to send the event to different indexes on different indexers you'd have to do something more complicated - use CLONE_SOURCETYPE to duplicate an event with a new sourcetype and for that sourcetype overwrite an index, probably overwrite sourcetype back to the original one and route to proper output.

Why would you want to send the event to two different indexes on two different indexers in the first place? It's gonna count twice against your licenses.

0 Karma
Reply

khin
Explorer
‎07-07-2022 11:50 PM

Hi PickleRick, thank you for the fast reply.

It is because the two indexers are from different environments and they want their indexes to be named accordingly.

Could you elaborate further on cloning the sourcetype? An example will be a lot of help. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-08-2022 01:35 AM

I haven't used CLONE_SOURCETYPE myself (didn't have the need for that).

But you can read about it here: https://conf.splunk.com/files/2020/slides/PLA1154C.pdf

 

Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...