Solved: Re: How to change the index at index time

mataharry · ‎07-21-2014

I have data coming from syslog udp:514
but I want to send some events to a different index.

Depending of :

the host they are coming from : ftp or vpn should go to indexB
some keywords in the events. "AUDIT" or "ALERT" should go to indexC

yannK · ‎07-21-2014

Method 1 :
The optimal solution is to open several ports, one for each index and have your syslog routed to the proper port.

example :
[udp:514] index=myindexA [udp:515] index=myindexB [udp:516] index=myindexC #etc...
It is also possible to then enforce a sourcetype or a timezone per source .

Method 2: If you cannot separate your inputs, then you have to create props/transforms rules to change the index based on : the content of the events, or the host.

see
in inputs.conf
[udp:514] index=myindexA sourcetype=syslog

in props.conf
To apply only for your input
[source::udp:514] TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent
OR to apply to all syslog sourcetype

[syslog] TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent

in transforms.conf

`
[routeIndexbasedonhost]
SOURCE_KEY = MetaData:Host
REGEX=(ftp|vpn)
DEST_KEY=_MetaData:Index
FORMAT=myindexB
WRITE_META=true

[routeIndexbasedonevent]
REGEX=(AUDIT|ALERT)
DEST_KEY=_MetaData:Index
FORMAT=myindexC
WRITE_META=true
`

The order of the transforms is important:
TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent
will have : myindexA for all, then some will become myindexB, and finally some will become myindexC
so the last one will overwrite the previous ones.

View solution in original post

mataharry · ‎07-23-2014

For retention mostly, the vpn logs are voluminous, and I want to keep only 1 month of them.
But sometime for permissions, I want only my security team to be able to see the "ALERT" events.

gkanapathy · ‎07-21-2014

I would also ask why think you want to send them to different indexes? is it for security reasons? retention reasons?

yannK · ‎07-21-2014

Method 1 :
The optimal solution is to open several ports, one for each index and have your syslog routed to the proper port.

example :
[udp:514] index=myindexA [udp:515] index=myindexB [udp:516] index=myindexC #etc...
It is also possible to then enforce a sourcetype or a timezone per source .

Method 2: If you cannot separate your inputs, then you have to create props/transforms rules to change the index based on : the content of the events, or the host.

see
in inputs.conf
[udp:514] index=myindexA sourcetype=syslog

in props.conf
To apply only for your input
[source::udp:514] TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent
OR to apply to all syslog sourcetype

[syslog] TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent

in transforms.conf

`
[routeIndexbasedonhost]
SOURCE_KEY = MetaData:Host
REGEX=(ftp|vpn)
DEST_KEY=_MetaData:Index
FORMAT=myindexB
WRITE_META=true

[routeIndexbasedonevent]
REGEX=(AUDIT|ALERT)
DEST_KEY=_MetaData:Index
FORMAT=myindexC
WRITE_META=true
`

The order of the transforms is important:
TRANSFORMS-changeindex=routeIndexbasedonhost, routeIndexbasedonevent
will have : myindexA for all, then some will become myindexB, and finally some will become myindexC
so the last one will overwrite the previous ones.

How to change the index at index time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation