- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Optimising redirection of an index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Optimising redirection of an index
I am redirecting an index however, I would like to possibly increase performance.
My props.conf looks like this:
[host::MM[0-9]{6}-PC]
TRANSFORMS-index = overrideIndexoldIndex
transforms.conf looks like this:
[overrideIndexoldIndex]
DEST_KEY =_MetaData:Index
REGEX = oldIndex
SOURCE_KEY=_MetaData:Index
FORMAT = newIndex
My understanding is that it is applying this transform for all data from host:MM[0-9]{6}-PC. The transform is just redirecting index:oldIndex to newIndex. There is a lot of data from hosts that matches this criteria. Is there a way to first check that the index is oldIndex and than look for those hosts and apply the transform then. Logically this would increase performance as there is far less data being sent to the index oldIndex than, the data being sent from those hosts that match our criteria.
Essentially I would like to understand the parsing of data better surrounding transforms and if this is a valid optimization how to go about implementing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anam
Hi @m91886
Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For sourcetypes, you don't need the prefix. The stanza name should be like this
[source::<source>] OR [host::<host>] OR [<sourcetype>]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your logic and configurations are correct and it cannot be done any other way, other than by source or by sourcetype instead of by host in props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You current configuration (assuming it's been placed on the instance that does the parsing i.e. heavy forwarder or indexer whichever comes first) override index name to newIndex for each event tagged with index=oldIndex and coming from hosts matching pattern MM[0-9]{6}-PC. Unfortunately, this override can only be setup at sourcetype, source OR host level, and not at index level.
Any specific reasons for overriding index for those host/index combination? Could you explain your requirement little more in detail?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, the sourcetype would work. The reason is that a group is sending splunk logs to two environments. On one those environment's logs are set for oldIndex and on the other environment we want them in newIndex. Since the universal forwarder only sends those logs using one index to both environments we are using the transforms to change the index in our environment.
Would this be valid?
[sourcetype:OriginalSourceType]
[host::MM[0-9]{6}-PC]
TRANSFORMS-index = overrideIndexoldIndex
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
