Getting Data In

How to send events from same path to different indexes depending on host using a single deployment?

mfrost8
Builder

Hello. Here's my situation. I am using the deployment server to push deployments to universal forwarders and would like to create a single deployment for multiple Apache servers. For reasons I won't get into, I have a need to send events from the same path to different indexes depending on the host that they come from.

So the logic of a hypothetical inputs.conf I create would be

[monitor:///var/weblogs/*/*.log]
 if host::host1 OR host::host2 OR host::host3, index = special_index

[monitor:///var/weblogs/*/*.log]
 if host::host4 OR host::host5 OR host::host6, index = main

Obviously inputs.conf doesn't support this kind of syntax, but it's unclear to me how I might be able to accomplish this same thing, if at all, using just one deployment. I already have a lot of different individual deployments with minor tweaks between them like this directing to different indexes stuff, but it's hard to maintain all those different but similar configurations.

Is there a way I might change the index value via configuration for events from this path depending on the host value?

Thanks very much.

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You have two options.

First, create two serverclasses - one for events going to main and one for events going to special_index. That's the easiest to do and most efficient to process for your machines.

Second, you could set up transforms.conf rules on your indexers that decide based on an event's host whether to send an event to main or to special_index. That works, but is a bit harder to configure and adds unnecessary load to your indexers compared to just setting things in inputs.conf right away..

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You have two options.

First, create two serverclasses - one for events going to main and one for events going to special_index. That's the easiest to do and most efficient to process for your machines.

Second, you could set up transforms.conf rules on your indexers that decide based on an event's host whether to send an event to main or to special_index. That works, but is a bit harder to configure and adds unnecessary load to your indexers compared to just setting things in inputs.conf right away..

martin_mueller
SplunkTrust
SplunkTrust

You could put the 95% into a common serverclass and only keep the 5% in separate serverclasses. That should severely reduce maintenance overhead.

0 Karma

mfrost8
Builder

Thanks, Martin.

That's what I was afraid of. I already have separate deployments for these different hosts which is a pain to maintain because 95% of the deployments are identical so if I make a change I have to make sure I put it in multiple places the same way.

As I was writing the original message, I thought about the indexer-side transforms.conf stuff, but that's not super-clear either. Doesn't seem like there's a great solution for this other than finding a justification for collapsing it all into the same index starting now.

Thanks

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...