Getting Data In

How to split events from the same log into different indexes based on content?

himynamesdave
Contributor

I have a log that contains different customer IDs. I want to be able to split different events from the same log into different Splunk indexes depending on the customer ID.

The customer IDs are fairly static. Hence right now I'm thinking of placing customer IDs in a lookup and using this to route events. Is this possible?

Can anyone give any advice on how they have (or would) approach and execute something like this.

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi himynamesdave,

Use props.conf and transforms.conf for this..

 #props.conf
 [source]
 TRANSFORMS-routing_for_norris_index = route_to_norris_index

 #transforms.conf
 [route_to_norris_index]
 DEST_KEY = _MetaData:Index
 REGEX = chuck
 FORMAT = norris

This will route all events containing chuck into the norris index.

Cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi himynamesdave,

Use props.conf and transforms.conf for this..

 #props.conf
 [source]
 TRANSFORMS-routing_for_norris_index = route_to_norris_index

 #transforms.conf
 [route_to_norris_index]
 DEST_KEY = _MetaData:Index
 REGEX = chuck
 FORMAT = norris

This will route all events containing chuck into the norris index.

Cheers, MuS

vinayakwagh
Explorer

what about remaining event in which index they will go?

0 Karma

MuS
SplunkTrust
SplunkTrust

The remaining events that do not match the regex chuck will go into their configured index in inputs.conf (best practice) or into the configured default index of your Splunk (not best practice).

Hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Do this on the Splunk server which is doing event parsing eq a heavy forwarder or indexer http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...