Getting Data In

How to route the logs from certain host to index=abc_secure?

VijaySrrie
Builder

Hi Team,

[host::1.(xx|xx).xx.xx(x|y)]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

 

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os, os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

I need to route the logs from certain host to index=abc_secure (not all the logs only os and os_secure logs)

Labels (1)
0 Karma
1 Solution

VijaySrrie
Builder

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

View solution in original post

0 Karma

VijaySrrie
Builder

@gcusello 

Below config worked


Props

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

Transforms.conf

[change_index_abc_secure]
SOURCE_KEY = _MetaData:Index
REGEX = os|os_secure
DEST_KEY = _MetaData:Index
FORMAT = abc_secure

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

VijaySrrie
Builder

Hi @gcusello 

Yes, this is fine, also I want the logs only from the hostname LIANS*

Will the below props and transforms work?

props.conf

[host=LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

transforms.conf

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

yes it's correct, test it and tell me the result.

Ciao.

Giuseppe

0 Karma

VijaySrrie
Builder

Hi @gcusello 

This isn't working
Not sure where am I going wrong

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

please try this props.conf

[host::LIANS*]
TRANSFORMS-change_index_abc_secure = change_index_abc_secure

even if I'm not sure that's possible to use the asterisk in props.conf , could you try using a sourcetype instead host?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VijaySrrie,

if you want to redirect only logs where index contains os or os_secure you have to use a different regex:

[change_index_abc_secure]
SOURCE_KEY = MetaData:Index
REGEX = os|os_secure
DEST_KEY = MetaData:Index
FORMAT = index::abc_secure

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...