Reroute host to different index

troy44112 · ‎09-23-2021

I am trying to figure out how to reroute a specific host to a different index.
For example, search results of host=1234test shows in index=best_life...
How would I change the index of host1234 from best_life to fall into a different index that exist already ie. (index=other_index)..

ashvinpandey · ‎09-23-2021

@troy44112

Use props.conf and transforms.conf for this..

 #props.conf
 [source]
 TRANSFORMS-routing_for_norris_index = route_to_norris_index

 #transforms.conf
 [route_to_norris_index]
 DEST_KEY = _MetaData:Index
 REGEX = chuck
 FORMAT = norris

This will route all events containing chuck into the norris index.

please find the below link for more detailed info:
https://blog.avotrix.com/implement-split-indexing-in-splunk/
Also, If this reply helps you, an upvote would be appreciated.

richgalloway · ‎09-23-2021

Check the inputs.conf files on that host. Change all instances of "index=best_life" to "index=other_index" and restart Splunk on that host.

Data that is already in index=best_life cannot be moved, but you can use the collect command to copy events to another index. This will affect your license usage.

---
If this reply helps you, Karma would be appreciated.

Reroute host to different index

index

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?