Re: Different index based on hostname

ebastos · ‎05-12-2014

Hi, All.

I'm trying to send specific hostnames to a different index, but not making a lot of progress.
We have 2 forwarders (splunkforwarder), 1 indexer and 1 search head.

I've put the following configs under $SPLUNK_HOME/etc/system/local/

props.conf:

[host::*.mpls.domain.com]
TRANSFORMS-index = mpls

transforms.conf:

[mpls]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mpls

Restarted splunk, but data keeps going to the main index.
Any ideas how I can troubleshoot that, please?

dwaddle · ‎05-12-2014

Your configuration looks correct. Where is it applied? It needs to be on the indexer. I would use btool to make sure the configuration is coming out like expected:

splunk cmd btool --debug props list "host::*.mpls.domain.com"
splunk cmd bootl --debug transforms list "mpls"

ebastos · ‎05-12-2014

Good news is that the debug command works.
Bad news is that I still don't see why it's not working. 🙂

The files are indeed on the indexer.

/opt/splunk/etc/system/local/transforms.conf [mpls]
/opt/splunk/etc/system/local/transforms.conf DEST_KEY = _MetaData:Index
/opt/splunk/etc/system/local/transforms.conf FORMAT = mpls
/opt/splunk/etc/system/local/transforms.conf REGEX = .