Solved: Direct to an index based on _raw

daniel333 · ‎09-26-2015

All,

I am looking to route data to an index based on contents of the _raw.

Basically I have app that runs every so often and logs to /var/log/message on a Linux system. If i see "arpwatch" in the text I want the event to end up in index=arpwatch.

Assuming I don't want to mess with the logging facilities at this time to create another log file. Is this something Splunk can do?

Here is what I have so far on my all in one box. It sorta works, but I am getting the hostname AND index overwritten to be arpwatch rather than just the index.

props.conf
[syslog]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-indexrouting = arpwatch

transforms.conf
[arpwatch]
REGEX = (?i) .app=arpwatch.
DEST_KEY = _MetaData:Index
FORMAT = arpwatch

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

View solution in original post

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

Direct to an index based on _raw

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Direct to an index based on _raw

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES