Different index based on hostname

ebastos · ‎05-12-2014

Hi, All.

I'm trying to send specific hostnames to a different index, but not making a lot of progress.
We have 2 forwarders (splunkforwarder), 1 indexer and 1 search head.

I've put the following configs under $SPLUNK_HOME/etc/system/local/

props.conf:

[host::*.mpls.domain.com]
TRANSFORMS-index = mpls

transforms.conf:

[mpls]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = mpls

Restarted splunk, but data keeps going to the main index.
Any ideas how I can troubleshoot that, please?

dwaddle · ‎05-12-2014

Your configuration looks correct. Where is it applied? It needs to be on the indexer. I would use btool to make sure the configuration is coming out like expected:

splunk cmd btool --debug props list "host::*.mpls.domain.com"
splunk cmd bootl --debug transforms list "mpls"

ebastos · ‎05-12-2014

Good news is that the debug command works.
Bad news is that I still don't see why it's not working. 🙂

The files are indeed on the indexer.

/opt/splunk/etc/system/local/transforms.conf [mpls]
/opt/splunk/etc/system/local/transforms.conf DEST_KEY = _MetaData:Index
/opt/splunk/etc/system/local/transforms.conf FORMAT = mpls
/opt/splunk/etc/system/local/transforms.conf REGEX = .

Different index based on hostname

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Different index based on hostname

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...