Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to override an index on per event basis?

Haybuck15
Explorer
‎05-22-2017 09:52 AM

So basically, I have a ton of events coming in on UDP 514. Based on the document linked below, I was able
to configure my Sourcetype Overrides so not everything comes in as "Palo Alto". However, now my 3PAR Storage Array logs are coming in as:

sourcetype = 3par_array
index = network

I'd like to override my Index field based on the Regex I configured for Sourcetype Overrides, however Splunk says that "DestKey = Index" is undefined. Could someone please help me out?

http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Advancedsourcetypeoverrides

0 Karma
Reply
1 Solution
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2017 11:04 AM

It is poor practice to syslog directly into Splunk; you should use a Universal Forwarder with a syslog aggregator as described here:

http://www.georgestarcher.com/splunk-success-with-syslog/

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2017 11:25 AM

You misunderstand me; the Heavy Forwarder should be a Universal Forwarder and should be running syslog-ng with a filter for each appliance to filter out the sourcetypes to disk directories.

0 Karma
Reply
Solved! Jump to solution

Haybuck15
Explorer
‎05-22-2017 11:19 AM

@woodcock - This is routing to the Heavy Forwarder and being parsed there; this is an appliance that can not have a Universal Forwarder on it, similar to a Palo Alto firewall.

@somesoni2 - That did the trick, thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...