Solved: How to redirect some SNMP data to a new index?

hagjos43 · ‎01-31-2017

We have SNMP data being sent from a heavy forwarder to our indexers into an index that we'll call cacti.

We want SOME of the data (specifically traffic data) to go to another index. My inputs.conf on some test logs (fake data) is set to send data to the main index with a sourcetype of cacti:test1.

I've done a test that looks like the following with zero luck (These have been placed on the Heavy Forwarder):
TRANSFORMS.conf:

[IndexRedirect_traffic]
REGEX = rrdn\Straffic
DESKT_KEY = _MetaData:Index
FORMAT = index::cacti_traffic

PROPS.conf:

[cacti:test1]
TRANSFORMS-indexredirect = IndexRedirect_traffic

hagjos43 · ‎02-02-2017

Looks like I had an issue with my REGEX, and it worked after the REGEX fix.

Thanks!

View solution in original post

hagjos43 · ‎02-02-2017

Looks like I had an issue with my REGEX, and it worked after the REGEX fix.

Thanks!

somesoni2 · ‎01-31-2017

Try this for transforms.conf entry.

[IndexRedirect_traffic]
 REGEX = rrdn\Straffic
 DESKT_KEY = _MetaData:Index
 FORMAT = cacti_traffic

How to redirect some SNMP data to a new index?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7