Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter data from a single file and write to two different indexes?

payal23
Path Finder
‎08-10-2020 07:36 AM

I am trying to filter a set of data from a single file with the below conditions and send the filtered data to different indexes.

Events are like: [ file.txt]

<85>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<25>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

So, event with 85 one should go to index A

and 25 one should go to index B

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:05 AM

create props.conf On HF or Indexer

Note: you should change [currentsourcetype] below with your sourcetype events are coming in.

[currentsourcetype]
TRANSFORMS-routetoindexes = firstindex, secondindex

transforms.conf on same HF or Indexers

[firstindex]
REGEX = ^\<85\> 
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexA

[secondindex]
REGEX = ^\<25\>
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexB

 

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:05 AM

create props.conf On HF or Indexer

Note: you should change [currentsourcetype] below with your sourcetype events are coming in.

[currentsourcetype]
TRANSFORMS-routetoindexes = firstindex, secondindex

transforms.conf on same HF or Indexers

[firstindex]
REGEX = ^\<85\> 
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexA

[secondindex]
REGEX = ^\<25\>
#to change index if event matches with the above regex
DEST_KEY = _MetaData:Index 
#indexA is index where matching data will be indexed
FORMAT = indexB

 

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

payal23
Path Finder
‎08-10-2020 08:26 AM

Thanks @thambisetty I will try this. And which index i should write in inputs.conf (Splunk UF integration) as Splunk will be monitoring the same file.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-10-2020 08:46 AM

@payal23 ,

you can give any index based on your requirement, if you give different index other than indexA and indexB used in transforms, you will be ending up with total 3 indexes for same input. hope this clears your doubt.

 

up vote if my solution works for you.

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

payal23
Path Finder
‎08-10-2020 08:01 PM

Thanks for the explanation @thambisetty .. and its working!!! I added WRITE_META=true as well.

I have one more question: This configuration will work in both HF and Indexer, so which one should i use for this scenario?

Read this link and so I am confused: https://aditumpartners.com/5-splunk-myths-busted/

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 01:31 AM

Data flow between universal forwarder and Indexer

universal forwarder -> Heavy forwarder(optional) -> Indexer

if you have heavy forwarder in place, I recommend using HF because the purpose of placing HF in between UF and Indexer is to parse/clean the data. Indexer is busy in serving requests coming from Search Head.

if you don't have HF in the flow , you can apply on Indexer.

Hope this helps...

up vote, if it solves your issue.

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...