Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to route the logs from certain host to index=abc_secure?

VijaySrrie
Builder
‎11-01-2022 04:52 PM

Hi Team,

[host::1.(xx|xx).xx.xx(x|y)]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

 

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os, os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

I need to route the logs from certain host to index=abc_secure (not all the logs only os and os_secure logs)

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VijaySrrie
Builder
‎11-24-2022 06:04 PM

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VijaySrrie
Builder
‎11-24-2022 06:04 PM

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2022 12:18 AM

Hi @VijaySrrie,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

VijaySrrie
Builder
‎11-03-2022 04:44 PM

Hi @gcusello 

Yes, this is fine, also I want the logs only from the hostname LIANS*

Will the below props and transforms work?

props.conf

[host=LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

transforms.conf

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 12:27 AM

Hi @VijaySrrie,

yes it's correct, test it and tell me the result.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎11-06-2022 11:02 PM

Hi @gcusello 

This isn't working
Not sure where am I going wrong

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-06-2022 11:14 PM

Hi @VijaySrrie,

please try this props.conf

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

even if I'm not sure that's possible to use the asterisk in props.conf , could you try using a sourcetype instead host?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-02-2022 12:48 AM

Hi @VijaySrrie,

if you want to redirect only logs where index contains os or os_secure you have to use a different regex:

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...