- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to route the data in a different index?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to route the data in a different index?
Hi, I am a data in UF and I am sending it to HF and then IDX. I am trying to route the data in another index using props.conf and transforms.conf in HF but it is not getting routed.
But, When I Connect UF with IDX directly and do the routing in props and transforms in IDX , it works.
But, When I Connect UF with HF and HF is sending data to IDX and created props.conf and transforms.conf in IDX itself to route the data, again it is not getting routed.
What is the reason behind if data goes through HF to IDX ( Even though I write the routing stuff in IDX), data is not getting routed?
I have read all the docs, but not convinced with the theory. Kindly provide me the technical explanation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abhayneilam
This thread is in dead old, but did you ever solve your issue?
Here a really usefull page explaning how indexing works: https://wiki.splunk.com/Community:HowIndexingWorks
I'm trying to perform the same as you. If you did solve it in the meantime, any hints on how you did it would be highly appreciated.
typingQueue is where the "props.conf" and "transforms.conf" are being polled. As your data is already cooked on UF this should be skipped on the HF. Or how Splunk would call it "intermediate forwarder" - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Configureanintermediateforwarder
At least that's the way I have understood it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mate, Settings has to be amended on Heavy Forwarder not on Indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your data flow is UF->HF->IDX and your HF is a full Splunk Enterprise instance, then these routing configurations should be set on HF. Again, ensure that you're deploying the same configuration that worked from IDX and restarting HF after making the change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but it does not work if I do routing the events through HF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something must be wrong with either configuration that you put in OR some other configuration might be conflicting it in HF. Try to run btool on HF (after applying to your props.conf/transforms.conf changes) to see if you see the configuration you deployed.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
