Can the universal forwarder route based on field f...

juniormint · ‎06-05-2013

A file I am monitoring looks something like the following

[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"

Can the forwarder somehow use the user specified index field above to route events to corresponding layer1, layer2, layer3 indexes on my indexer?

kristian_kolb · ‎06-05-2013

No. A universal forwarder cannot do that. It has no understanding of fields inside events. In fact, it does not even understand the concept of events. It's just a stream of data.

For that you need to set up a TRANSFORM, where you change the destination index based on event data. These types of operation takes place during the Parsing Phase. Install a Heavy Forwarder on the source system and do your config there, or keep the UF and do it on the Indexer. Read the relevant sections of the documentation:

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events...

Hope this helps,

Kristian

Can the universal forwarder route based on field found in the log message?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Can the universal forwarder route based on field found in the log message?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!