Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I route based on host and source type?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukessi
Path Finder
09-24-2018
07:33 AM
Hi,
I am routing traffic to a 3rd party. I have done some of this based on a host and others based on the source type.
But I now need to route based on a host and a sourcetype and I can't work out how to do it?
Any tips of where to look?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
09-24-2018
08:42 AM
I think you could do something along these lines, triggering the transforms based on sourcetype, but inside the transforms config filter by host using the REGEX.
props.conf:
[yoursourcetype]
TRANSFORMS-setrouting = your-routing
transforms.conf
[your-routing]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|...|hostn)
DEST_KEY = _TCP_ROUTING
FORMAT = your-outputgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FrankVl
Ultra Champion
09-24-2018
08:42 AM
I think you could do something along these lines, triggering the transforms based on sourcetype, but inside the transforms config filter by host using the REGEX.
props.conf:
[yoursourcetype]
TRANSFORMS-setrouting = your-routing
transforms.conf
[your-routing]
SOURCE_KEY = MetaData:Host
REGEX = (host1|host2|...|hostn)
DEST_KEY = _TCP_ROUTING
FORMAT = your-outputgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krithikar
Engager
04-21-2023
02:50 AM
What if we have multiple hosts , say 500 and above can we mark and * to pick up all the host name .
REGEX = (host*)
If my host name starts with ABCD and if i say ABCD* will this work ?. Or say my events have these hosts under a field called computername
REGEX = (?ms)(ComputerName=ABCD*.domain.com)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukessi
Path Finder
09-24-2018
08:50 AM
Cheers mate I came to that solution too. Just double checking if there was another way.
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
