Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can the universal forwarder route based on field found in the log message?

juniormint
Communicator
‎06-05-2013 05:05 AM

A file I am monitoring looks something like the following

[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"

Can the forwarder somehow use the user specified index field above to route events to corresponding layer1, layer2, layer3 indexes on my indexer?

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-05-2013 05:54 AM

No. A universal forwarder cannot do that. It has no understanding of fields inside events. In fact, it does not even understand the concept of events. It's just a stream of data.

For that you need to set up a TRANSFORM, where you change the destination index based on event data. These types of operation takes place during the Parsing Phase. Install a Heavy Forwarder on the source system and do your config there, or keep the UF and do it on the Indexer. Read the relevant sections of the documentation:

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events...

Hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...