Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter data from a single file and write to two different indexes?

payal23
Path Finder
‎08-10-2020 07:36 AM

I am trying to filter a set of data from a single file with the below conditions and send the filtered data to different indexes.

Events are like: [ file.txt]

<85>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<25>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

So, event with 85 one should go to index A

and 25 one should go to index B

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:05 AM

create props.conf On HF or Indexer

Note: you should change [currentsourcetype] below with your sourcetype events are coming in.

[currentsourcetype]
TRANSFORMS-routetoindexes = firstindex, secondindex

transforms.conf on same HF or Indexers

[firstindex]
REGEX = ^\<85\> 
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexA

[secondindex]
REGEX = ^\<25\>
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexB

 

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:05 AM

create props.conf On HF or Indexer

Note: you should change [currentsourcetype] below with your sourcetype events are coming in.

[currentsourcetype]
TRANSFORMS-routetoindexes = firstindex, secondindex

transforms.conf on same HF or Indexers

[firstindex]
REGEX = ^\<85\> 
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexA

[secondindex]
REGEX = ^\<25\>
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexB

 

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

payal23
Path Finder
‎08-10-2020 08:26 AM

Thanks @thambisetty I will try this. And which index i should write in inputs.conf (Splunk UF integration) as Splunk will be monitoring the same file.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:46 AM

@payal23 ,

you can give any index based on your requirement, if you give different index other than indexA and indexB used in transforms, you will be ending up with total 3 indexes for same input. hope this clears your doubt.

 

up vote if my solution works for you.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

payal23
Path Finder
‎08-10-2020 08:01 PM

Thanks for the explanation @thambisetty .. and its working!!! I added WRITE_META=true as well.

I have one more question: This configuration will work in both HF and Indexer, so which one should i use for this scenario?

Read this link and so I am confused: https://aditumpartners.com/5-splunk-myths-busted/

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 01:31 AM

Data flow between universal forwarder and Indexer

universal forwarder -> Heavy forwarder(optional) -> Indexer

if you have heavy forwarder in place, I recommend using HF because the purpose of placing HF in between UF and Indexer is to parse/clean the data. Indexer is busy in serving requests coming from Search Head.

if you don't have HF in the flow , you can apply on Indexer.

Hope this helps...

up vote, if it solves your issue.

————————————
If this helps, give a like below.
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
li.common.scroll-to.top