Re: Different index based on hostname

ebastos · ‎05-12-2014

Hi, All.

I'm trying to send specific hostnames to a different index, but not making a lot of progress.
We have 2 forwarders (splunkforwarder), 1 indexer and 1 search head.

I've put the following configs under $SPLUNK_HOME/etc/system/local/

props.conf:

[host::*.mpls.domain.com]
TRANSFORMS-index = mpls

transforms.conf:

[mpls]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mpls

Restarted splunk, but data keeps going to the main index.
Any ideas how I can troubleshoot that, please?

dwaddle · ‎05-12-2014

Your configuration looks correct. Where is it applied? It needs to be on the indexer. I would use btool to make sure the configuration is coming out like expected:

splunk cmd btool --debug props list "host::*.mpls.domain.com"
splunk cmd bootl --debug transforms list "mpls"

ebastos · ‎05-12-2014

Good news is that the debug command works.
Bad news is that I still don't see why it's not working. 🙂

The files are indeed on the indexer.

/opt/splunk/etc/system/local/transforms.conf [mpls]
/opt/splunk/etc/system/local/transforms.conf DEST_KEY = _MetaData:Index
/opt/splunk/etc/system/local/transforms.conf FORMAT = mpls
/opt/splunk/etc/system/local/transforms.conf REGEX = .

Different index based on hostname

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation