Solved: Direct to an index based on _raw

daniel333 · ‎09-26-2015

All,

I am looking to route data to an index based on contents of the _raw.

Basically I have app that runs every so often and logs to /var/log/message on a Linux system. If i see "arpwatch" in the text I want the event to end up in index=arpwatch.

Assuming I don't want to mess with the logging facilities at this time to create another log file. Is this something Splunk can do?

Here is what I have so far on my all in one box. It sorta works, but I am getting the hostname AND index overwritten to be arpwatch rather than just the index.

props.conf
[syslog]
BREAK_ONLY_BEFORE = ^
TRANSFORMS-indexrouting = arpwatch

transforms.conf
[arpwatch]
REGEX = (?i) .app=arpwatch.
DEST_KEY = _MetaData:Index
FORMAT = arpwatch

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

View solution in original post

daniel333 · ‎09-26-2015

Restarted Splunk and problem went away. Not sure what was up there, but it's working now.

Direct to an index based on _raw

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation