Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Change index at index time (chained UFs)

danbrook
Explorer
‎06-01-2017 03:07 AM

I am collecting Windows Event Logs via either a Windows Event Collector or directly from each Windows server (with a Splunk UF installed). I am then using an intermediate forwarder to send to our indexers. This is due to network setup and location of the servers.

I have custom metadata that the intermediate forwarder is adding to identify where the logs are coming from and use in the index name.

The problem I am having is that the Windows Event Logs are hitting the Main index and not the one I've specified in transforms.

On the intermediate forwarder I have:

inputs.conf
[splunktcp:9997]
acceptFrom = *

On the destination Indexer I have:

props.conf
[source::WinEventLog:ForwardedEvents]
TRANSFORMS-Host = Set-Host-ComputerName
TRANSFORMS-LogName = Set-Sourcetype-LogName
TRANSFORMS-Index-Windows = Set-Index-Windows

[sourcetype::WinEventLog:*]
TRANSFORMS-Index-Windows = Set-Index-Windows

...

transforms.conf
[Set-Host-ComputerName]
REGEX = (?m)ComputerName=(.+)?\b
DEST_KEY = MetaData:Host
FORMAT = host::$1

[Set-Sourcetype-LogName]
REGEX = (?m)LogName=(.+)?\b
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::windows:event:$1

[Set-Index-Windows]
SOURCE_KEY = MetaData:customfield
REGEX = (.+)
DEST_KEY = _MetaData:Index
FORMAT = index-$1-win-event
0 Karma
Reply

hardikJsheth
Motivator
‎06-01-2017 03:25 AM

If I understood your problem correctly, you want to put data into index named index-$custom$-win-event, I think you need to update your tranforms.conf stanza as follows:

[Set-Index-Windows]
 SOURCE_KEY = field:customfield
 REGEX = (.+)
 DEST_KEY = _MetaData:Index
 FORMAT = index-$1-win-event
0 Karma
Reply

danbrook
Explorer
‎06-01-2017 03:31 AM

The custom field is set like this on the intermediate forwarder:

[default]
_meta = customfield::ACustomString
0 Karma
Reply

micahkemp
Champion
‎06-01-2017 07:09 AM

If the custom field is set on the intermediate forwarder, I have to assume the intermediate forwarder is a heavy forwarder. If that's the case, it's sending cooked data to your indexer. The indexer won't re-cook data (under normal configuration, and best practice), so changing sourcetype/index/etc won't have any affect.

For a potential (against best practice) workaround, see this previous answer:

Reparsing cooked data coming from a heavy forwarder. Possible?

0 Karma
Reply

danbrook
Explorer
‎06-01-2017 08:59 AM

The Intermediate Forward is a Universal Forwarder. The custom metadata is being added to the logs.

0 Karma
Reply

danbrook
Explorer
‎06-01-2017 06:50 AM

SOURCE_KEY = field:customfield - This didn't work I'm afraid.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...