Change index based on source and index from differ...

splunkreal

Hello,

we have Windows servers from two environments, we want WinEventLog source (Windows Events logs) to go in "windows" index from main environment and secondary environment to go to "sec_windows". On UF from secondary environment we have setup inputs.conf with index = sec_windows but this doesn't work : all goes to windows index, could you help ? Thank you very much.

props.conf


[source::WinEventLog:*]

TRANSFORMS-set_index_sec_windows = set_index_sec_windows

TRANSFORMS-set_index_windows_wineventlog = set_index_windows_wineventlog



transforms.conf



# Windows

[set_index_windows_wineventlog]

SOURCE_KEY = MetaData:Source

REGEX = WinEventLog

DEST_KEY = _MetaData:Index

FORMAT = windows



[set_index_sec_windows]

SOURCE_KEY = _MetaData:Index

REGEX = sec_windows

DEST_KEY = _MetaData:Index

FORMAT = sec_windows

* If this helps, please upvote or accept solution if it solved *

gcusello

Hi @splunkreal ,

as @livehybrid said, the easiest approach is to create two copies of the Splunk_TA_Windows that differ only for the index in the input stanzas.

If not possible, you could follow the approach that you described.

Remember that in the second case, you have to put these configurations not in the Universal Forwarders, but in the first full Splunk instance that data pass throug, in other words on indexers or, if present on intermediate Heavy Forwarders.

Ciao.

Giuseppe

livehybrid

Hi @splunkreal

Are you able to set the index in the inputs.conf on the UF on in your secondary environment?

If not then you will need to use props/transforms as described - However this configuration will not work by default on a UF as this parsing is done on a HF/Indexer. I presume this is currently applied to the UF, otherwise it would also change the configuration for your primary environment?

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

splunkreal

Hello yes UF is already setup on secondary environment. On first environment we use _TCP_ROUTING as we also have two Splunk platforms...

* If this helps, please upvote or accept solution if it solved *

livehybrid

If you're applying those props/transforms to the UF then that would explain why it isnt taking effect - the parsing is not carried out on the UF (except specifically enabled!) so they will need applying on the HF, unless you're able to set the correct index values on the secondary environment UFs.

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

splunkreal

Hello, we found solution, there was metadata index source key that was possible to use. Thanks for your help guys.

* If this helps, please upvote or accept solution if it solved *

Change index based on source and index from different environments

index

other

source

sourcetype

universal forwarder

Windows

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform