Getting Data In

How to route the logs from certain host to index=abc_secure?

VijaySrrie
Builder

Hi Team,

[host::1.(xx|xx).xx.xx(x|y)]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

 

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os, os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

I need to route the logs from certain host to index=abc_secure (not all the logs only os and os_secure logs)

Labels (1)
0 Karma
1 Solution

VijaySrrie
Builder

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

View solution in original post

0 Karma

VijaySrrie
Builder

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

VijaySrrie
Builder

Hi @gcusello 

Yes, this is fine, also I want the logs only from the hostname LIANS*

Will the below props and transforms work?

props.conf

[host=LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

transforms.conf

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

yes it's correct, test it and tell me the result.

Ciao.

Giuseppe

0 Karma

VijaySrrie
Builder

Hi @gcusello 

This isn't working
Not sure where am I going wrong

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

please try this props.conf

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

even if I'm not sure that's possible to use the asterisk in props.conf , could you try using a sourcetype instead host?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you want to redirect only logs where index contains os or os_secure you have to use a different regex:

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...