Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't route forwarded data to different index?

gljiva
Path Finder
‎04-28-2010 09:52 PM

Hi, i saw many suggestions to routing data to different index from light forwarder but none seems to work. I have set up light forwarder that sends cooked data to my indexer. Connection is ok, because data gets indexed but in wrong index.

Here are some of configurations i have tried (on indexer side):

inputs.conf 
[splunktcp://9997]
index = test_2

Next one:
inputs.conf 
[splunktcp://9997]

props.conf
[host::Simpson-test]
index = test_2
TRANSFORMS-foo = routeIndex

transforms.conf
[routeIndex]
SOURCE_KEY = source
REGEX = = WinEventLog
DEST_KEY =_MetaData:Index
FORMAT = test_2

Next one:
inputs.conf 
[splunktcp://9997]
sourcetype=REMOTE

props.conf
[REMOTE]
TRANSFORMS-simremote = sremote

transforms.conf
[sremote]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = test_2

Data allways ends up in index that was defined on lightforwarder (test_1). I would like to route data that comes to indexer based on sourcetype and host. Data comes from lightforwarder and is cooked so i suppose that sourcetype and host allready exist and i can do REGEX search on SOURCE_KEY?

Any hints abouth troubleshooting this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-28-2010 11:27 PM

The light forwarder can send to a specific index if you set the destination index in inputs.conf on the forwarder itself. This can be overridden at the indexer using props.conf/transforms.conf for a specific host or sourcetype.

props.conf:

[myfavoritesourcetype]
    TRANSFORMS-index=sendtomyindex

transforms.conf:

[sendtomyindex]
SOURCE_KEY=MetaData:Sourcetype
REGEX=(.*)
FORMAT=index::myindex
WRITE_META=true

Update: it looks like this works just as well. I'm not sure which is preferable...

[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=myindex

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎05-12-2010 11:05 PM

The easiest way is to specify the index in inputs.conf on the forwarder.

It seemed counter-intuitive to me at first, as if I was directing the forwarder to index something locally. But data is sent along to the indexer and placed into the desired index (as defined in an indexes.conf on the indexer).

On the forwarder, inputs.conf:

[monitor:///filename/or/other/input/type/]
disabled = false
index=ghtest5
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-28-2010 11:27 PM

The light forwarder can send to a specific index if you set the destination index in inputs.conf on the forwarder itself. This can be overridden at the indexer using props.conf/transforms.conf for a specific host or sourcetype.

props.conf:

[myfavoritesourcetype]
    TRANSFORMS-index=sendtomyindex

transforms.conf:

[sendtomyindex]
SOURCE_KEY=MetaData:Sourcetype
REGEX=(.*)
FORMAT=index::myindex
WRITE_META=true

Update: it looks like this works just as well. I'm not sure which is preferable...

[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=myindex
Reply
Solved! Jump to solution

Lowell
Super Champion
‎04-29-2010 01:52 PM

Side note on your regex: You should be able to use REGEX=.?, which should be more efficient way to say match-all.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-29-2010 11:26 AM

Interesting, I tried both of these (and some variations that didn't work) and only saw one "index" field in each case. But then again, I'm struggling to see "_index" in the UI. How are you seeing that?

0 Karma
Reply
Solved! Jump to solution

gljiva
Path Finder
‎04-29-2010 08:27 AM

Thanks alot, got it to work!
First one doesn't exactly work. It really adds new _index field to data, but doesn't delete old one. So I end up having two _index fields, but only first _index field is used to store data, and second one seems to get ignored.

Second one works great if i write it like this:
[routeIndex]
SOURCE_KEY = MetaData:Sourcetype
REGEX=(.*)
DEST_KEY=_MetaData:Index
FORMAT=test_2
WRITE_META=true

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...