Solved: Index selection conditional on values in the data

davidatpinger · ‎09-21-2015

I've got a bunch of key-value data, something sorta like this:

a=1,b=2,c=3,d=4
a=5,b=6,c=7,d=8
a=9,b=2,c=10,d=11
(etc.)

I'd like to sort this data into different indexes (for the purpose of different retention times) depending on the value passed to the 'b' key. So, if b=2, send the data to index_retain_for_one_week but if b=6, send the data to index_retain_for_one_month. Ideally, there would be a final condition for values of 'b' that aren't listed. Think of this as an 'else' condition that sends non-matching data for the list of conditions to index_retain_one_day. (All of the index names are just illustrative, like the data.)

Is there a good way to do that? Heck, is it possible? My apologies if this is already answered somewhere - I couldn't find a set of key words that generated an answer. Thanks!

somesoni2 · ‎09-21-2015

Here you go

http://answers.splunk.com/answers/150266/dynamic-index-assignment-based-on-event-or-log-prefix.html

View solution in original post

somesoni2 · ‎09-21-2015

Here you go

http://answers.splunk.com/answers/150266/dynamic-index-assignment-based-on-event-or-log-prefix.html

davidatpinger · ‎09-21-2015

I suppose I can make multiple stanzas of transforms and they are applied in order by the TRANSFORMS statement in props.conf. So yeah, this will work! Thanks!

davidatpinger · ‎09-22-2015

Okay, this is close but not quite working. I've got something like this in transforms.conf:

[special-data]
DEST_KEY = _MetaData:Index
REGEX = b=[3|30|44|49|21]
FORMAT = special-index

[normal-data]
DEST_KEY=_MetaData:Index
FORMAT = normal-index

And then, in props.conf, I have something like this:

[mysourcetype]
TRANSFORMS-indexsort = special-data, normal-data

There must be something unhappy with the REGEX, because everything ends up in special-index. Hmm.

somesoni2 · ‎09-22-2015

You forgot to add "REGEX = ." in the normal-data stanza.

[special-data]
DEST_KEY = _MetaData:Index
REGEX = b=[3|30|44|49|21]
FORMAT = special-index

[normal-data]
REGEX = .
DEST_KEY=_MetaData:Index
FORMAT = normal-index

davidatpinger · ‎09-22-2015

Yeah, and I need parens instead of square brackets. Getting there! (Thanks!!)

davidatpinger · ‎09-22-2015

Hmm, now everything is falling through to normal-data. Time to muck around with it some more.

somesoni2 · ‎09-22-2015

Check the REGEX for special-data, may be some spaces that need to be adjusted etc. If you can send some actual sample data, I can try to look at it as well..

somesoni2 · ‎09-22-2015

Also, can you do this, in your porps.conf and transforms.conf, change the order of the stanza, so get the normal-data first and special-data after that.

davidatpinger · ‎10-02-2015

I discovered that my brain was backwards. It's not first-match and stop in the listed transforms in props.conf - it runs to the end and the last match is what you get.

Once I got that through my skull, everything works as expected. Thanks much!

Index selection conditional on values in the data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Join the Conversation