I can't seem to be able to reroute a sourcetype to a different index.
Here's props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType
And here is my transforms.conf
[setindex_MySourceType]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::MySourceType
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i
What am I missing?!?
Thank you,
Claudio
Hi cmlombardo,
best thing would be to set the correct index at input level in the inputs.conf
. But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index:
props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType
transforms.conf
[setindex_MySourceType]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i
As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i
Hope that helps ...
cheers, MuS
Mhhh... I tried that already and for some reasons it's still going to the main index.
It's odd.
Hopefully this should not have anything to do with the fact that I am experimenting with the free splunk installation I have before sending it to the production one...
does your custom index exists ?
Yes, and I verified it has the same name (including the case, even though I am not sure it would make a difference).
Oh my bad sorry .... try one of these settings:
[setindex_MySourceType]
REGEX = .
FORMAT = my_custom_i
DEST_KEY = _MetaData:Index
WRITE_META = true
or
[setindex_MySourceType]
REGEX = .
FORMAT = index::my_custom_i
DEST_KEY = _MetaData:Index