Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Change index depending on host
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm trying to split Windows events into different indexes at index time depending on the host which is sending them. Below there are my props.conf and transforms.conf
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-set_new_index = set_index_newtransforms.conf
[set_index_new]
REGEX = MY.HOSTNAME.12.COM
FORMAT = windows-new
DEST_KEY = _MetaData:Index
I tried with different combinations on the regex but none of them worked. Can someone tell me what could be wrong? Thanks in advance.
Best.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Your transforms does not say which field you are trying to match (SOURCE_KEY). If you don't tell it that, then it probably is checking the entire _raw, iirc.
2) If you mean to match only the character ., then your regex should escape the character using \.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Your transforms does not say which field you are trying to match (SOURCE_KEY). If you don't tell it that, then it probably is checking the entire _raw, iirc.
2) If you mean to match only the character ., then your regex should escape the character using \.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2nd one works!!! Thanks a lot for your answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
On which splunk instance, have you configured above props.conf and transforms.conf ? It should be on first Splunk Enterprise instance from Universal Forwarder. For example: If UF sends data to Heavy Forwarder and then it goes to Indexer then you need to configure props & transforms on Heavy Forwarder. If UF sends data directly to Indexer then you need to configure props & transforms on Indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your response. I have a UF sending logs to indexers. I deployed those .conf files on indexers but it's not indexing logs on the new index, and it is using the old one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you restarted splunk on Indexer after adding those props/transforms ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deployed the changes via Cluster Master, so I assume no restart on IDX is required, is that right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes if you deployed from CM then it will automatically take care. Additionally only new data will go into new index not existing data. If that is still not working then I'll suggest to provide some sample data (Mask sensitive data)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
