Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rerouting to different index

cmlombardo
Path Finder
‎06-03-2015 12:27 PM

I can't seem to be able to reroute a sourcetype to a different index.

Here's props.conf:
[MySourceType]

# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

And here is my transforms.conf

[setindex_MySourceType]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::MySourceType
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

What am I missing?!?

Thank you,
Claudio

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-03-2015 01:23 PM

Hi cmlombardo,

best thing would be to set the correct index at input level in the inputs.conf . But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index:

props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

transforms.conf
[setindex_MySourceType]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i

Hope that helps ...

cheers, MuS

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 10:33 AM

Mhhh... I tried that already and for some reasons it's still going to the main index.
It's odd.

Hopefully this should not have anything to do with the fact that I am experimenting with the free splunk installation I have before sending it to the production one...

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 12:29 PM

does your custom index exists ?

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 12:31 PM

Yes, and I verified it has the same name (including the case, even though I am not sure it would make a difference).

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 01:08 PM

Oh my bad sorry .... try one of these settings:

[setindex_MySourceType]
REGEX = .
FORMAT = my_custom_i
DEST_KEY = _MetaData:Index
WRITE_META = true

or

[setindex_MySourceType]
REGEX = .
FORMAT = index::my_custom_i
DEST_KEY = _MetaData:Index
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...