Solved: Direct to an index based on _raw

daniel333 · ‎09-26-2015

All,

I am looking to route data to an index based on contents of the _raw.

Basically I have app that runs every so often and logs to /var/log/message on a Linux system. If i see "arpwatch" in the text I want the event to end up in index=arpwatch.

Assuming I don't want to mess with the logging facilities at this time to create another log file. Is this something Splunk can do?

Here is what I have so far on my all in one box. It sorta works, but I am getting the hostname AND index overwritten to be arpwatch rather than just the index.

props.conf
[syslog]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-indexrouting = arpwatch

transforms.conf
[arpwatch]
REGEX = (?i) .app=arpwatch.
DEST_KEY = _MetaData:Index
FORMAT = arpwatch

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

View solution in original post

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

Direct to an index based on _raw

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation