Can I use a _meta variable from inputs in a transf...

las · ‎07-02-2020

Hi.

I have a business requirement where I need to index data from multiple of our vendors that also use Splunk.

The vendors have added a _TCP_ROUTING to send data to both our Heavy Forwarders and their own infrastructure.

I have a dedicated port for each vendor in my inputs.conf on the Heavy Forwarder:

[splunktcp-ssl:9997]
disabled = 0
_meta userindex::splunk_test

My idea was to have a different userindex for each input stanza

Next step is a generic props.conf:

[host::*]
TRANSFORMS-force_index = force_index

Finally I was hoping it would be possible to do the magic in my transforms.conf:

[force_index]
DEST_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = $1
SOURCE_KEY = _meta:userindex
WRITE_META = true

I know I'm not rewriting the index, but it is easier to look at the sourcetype, as the events get indexed and it should be a small change to rewrite the index instead of the sourcetype.

Long story... so to the question.

Is it possible to reference the _meta variable I have set in the input stanza in the regex of the transform on the same Heavy Forwarder?

Kind regards

Lars

P.S.

I agree it is a bad idea to rewrite the index, it should be set at the source, but I think it is necessary, as our indexes do not match those of our vendors and I want each vendors data to be indexed in the same index.

Can I use a _meta variable from inputs in a transforms on the same heavy forwarder?

heavy forwarder

index

inputs.conf

props.conf

transforms.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?