Can the universal forwarder route based on field f...

juniormint · ‎06-05-2013

A file I am monitoring looks something like the following

[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer3 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer1 message="123456"
[timestamp] index=layer2 message="123456"

Can the forwarder somehow use the user specified index field above to route events to corresponding layer1, layer2, layer3 indexes on my indexer?

kristian_kolb · ‎06-05-2013

No. A universal forwarder cannot do that. It has no understanding of fields inside events. In fact, it does not even understand the concept of events. It's just a stream of data.

For that you need to set up a TRANSFORM, where you change the destination index based on event data. These types of operation takes place during the Parsing Phase. Install a Heavy Forwarder on the source system and do your config there, or keep the UF and do it on the Indexer. Read the relevant sections of the documentation:

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events...

Hope this helps,

Kristian

Can the universal forwarder route based on field found in the log message?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation