Re: Redirection to different index using transform...

paycorp · ‎08-27-2013

Hi,

I have a couple of network devices which are sending logs to splunk over udp (so no forwarder installed on them).

I'm struggling to get my transforms.conf to redirect the data to a separate index.
The network devices have 2 transforms rules, the first one being a MetaData:Host being set (instead of IP) which works fine.
What am I doing wrong for the index redirection?
Maybe some issue with SOURCE_KEY? I've tried using a SOURCE_KEY = MetaData:Host in transforms.conf

transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1

[index_redirect_to_pci]
REGEX = .
DEST_KEY = MetaData:Index
FORMAT = pci

props.conf
[host::x.x.x.x]
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci

Thanks

dart · ‎08-27-2013

You should have _MetaData:Index not MetaData:Index.

### transforms.conf
[host_rename_rt1]
REGEX = .
DEST_KEY = MetaData:Host
FORMAT = host::rt1

[index_redirect_to_pci]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = pci

### props.conf
[host::x.x.x.x] 
TRANSFORMS-rt1 = host_rename_rt1,index_redirect_to_pci

Redirection to different index using transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation