Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can forwarder read first few lines, then split logs into different indexes?

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-15-2016 10:14 AM

Folks…gotta question here:

I have two websites flowing access_combined into the same directory.

Each site needs to go to its own Splunk index.

There is nothing in the filename that will identify the site.

Can the forwarder read the first few lines the file and then send the file the appropriate directory?

Going to post on Answers as well.

Clustered WebSphere server serving up many sites at once, logging centrally.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-15-2016 10:29 AM

If there are identifying features in each event instead of the path then you could use transforms.conf routing to set the index.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-15-2016 10:29 AM

If there are identifying features in each event instead of the path then you could use transforms.conf routing to set the index.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-16-2016 12:53 PM

You'd need a heavy forwarder if you want to perform this at the source, however your indexers can do this too so you can work with a universal forwarder.

I don't quite understand your second point... are you asking where you need to point to your transforms.conf entry? That'd be in props.conf under a sourcetype, source, or host stanza. In your case I'd lean towards source because you probably don't want to apply the transformation to all apache web logs or all logs coming from the entire host.

0 Karma
Reply
Solved! Jump to solution

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-16-2016 07:59 PM

Agreed...following this doc:
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
This is a great feature, in my case, all logging is dumped to single directory from multiple sites, we'll need to pull the eggs out the basket and send to the respective indexes.
Thanks again!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-17-2016 11:11 AM

Don't forget to mark the answer as accepted if your issue has been resolved.

0 Karma
Reply
Solved! Jump to solution

cpraznowski_spl
Splunk Employee
Splunk Employee
‎03-16-2016 07:25 AM

Thank you! Is it true that'd I'd need a heavy forwarder to do this & when transform.conf is utilized and source type is set to access_combined, that Splunk will need to re-instructruted to understand that the source is an apache web log? If the second statement is so, is that simply a setting in props.conf?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...