Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to forward events to different indexes based o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to forward events to different indexes based on universal forwarder IP address?
Hi there,
I have dozens of devices forwarding data through universal forwarder to a heavy forwarder, which in turn forwards data to a group of indexers.
Due to access provisioning demands, I would like data from each set of these devices to be indexed under a specific index, so users can be granted access to the specific indexes.
By specifying in props.conf and inputs.conf on the heavy forwarder, is it possible to achieve this result?
Any help would be much appreciated.
Splunk newbie.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have control over the UF configuration, (either directly, or through a configuration management solution or a Deployment Server) then you can set index in inputs.conf on the UFs and you're all set.
Alternatively, it would take some processing on the HF, you would need some common field to match on the HF (host might be a good one so long as your UF isn't setting host from another source other than the UF itself) so your props.conf on the HF could have stanza(s) like:
[host::hostnamepattern]
TRANSFORMS = rewrite-index
which of course references corresponding transforms.conf entr(ies) like:
[rewrite-index]
SOURCE_KEY = MetaData:Host
REGEX = (regex match against SOURCE_KEY value)
DEST_KEY = _MetaData:Index
FORMAT = targetindex (could use capturing groups from the regex here)
There's a lot of variability here of course, and if you're using INDEXED_EXTRACTIONS on your UFs, this method of HF configuration wouldn't work (since the UFs are sending fully parsed events in that case).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you very much for your detailed answer.
Here are the changes I have done.
/opt/splunk/etc/system/local/props.conf:
[host::SALSABDCO101]
TRANSFORMS-dc_mog_qatar_cn = dc_mog_qatar_tn
/opt/splunk/etc/system/local/transforms.conf:
[dc_mog_qatar_tn]
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = idx_dc_do_mog
- These changes were done on both the indexers which are involved in indexing events from the host in question.
- SALSABDCO101 is the host running the UF whose events I would like to be indexed into idx_dc_do_mog
Am I doing something incorrect, because I see events from host SALSABDCO101 being indexed into the index defined in inputs.conf under the domain controller app on the heavy forwarder.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
