Can I use a _meta variable from inputs in a transf...

las · ‎07-02-2020

Hi.

I have a business requirement where I need to index data from multiple of our vendors that also use Splunk.

The vendors have added a _TCP_ROUTING to send data to both our Heavy Forwarders and their own infrastructure.

I have a dedicated port for each vendor in my inputs.conf on the Heavy Forwarder:

[splunktcp-ssl:9997]
disabled = 0
_meta userindex::splunk_test

My idea was to have a different userindex for each input stanza

Next step is a generic props.conf:

[host::*]
TRANSFORMS-force_index = force_index

Finally I was hoping it would be possible to do the magic in my transforms.conf:

[force_index]
DEST_KEY = MetaData:Sourcetype
REGEX = (.+)
FORMAT = $1
SOURCE_KEY = _meta:userindex
WRITE_META = true

I know I'm not rewriting the index, but it is easier to look at the sourcetype, as the events get indexed and it should be a small change to rewrite the index instead of the sourcetype.

Long story... so to the question.

Is it possible to reference the _meta variable I have set in the input stanza in the regex of the transform on the same Heavy Forwarder?

Kind regards

Lars

P.S.

I agree it is a bad idea to rewrite the index, it should be set at the source, but I think it is necessary, as our indexes do not match those of our vendors and I want each vendors data to be indexed in the same index.

Can I use a _meta variable from inputs in a transforms on the same heavy forwarder?

heavy forwarder

index

inputs.conf

props.conf

transforms.conf

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!