Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rerouting to different index

cmlombardo
Path Finder
‎06-03-2015 12:27 PM

I can't seem to be able to reroute a sourcetype to a different index.

Here's props.conf:
[MySourceType]

# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

And here is my transforms.conf

[setindex_MySourceType]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::MySourceType
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

What am I missing?!?

Thank you,
Claudio

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-03-2015 01:23 PM

Hi cmlombardo,

best thing would be to set the correct index at input level in the inputs.conf . But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index:

props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

transforms.conf
[setindex_MySourceType]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i

Hope that helps ...

cheers, MuS

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 10:33 AM

Mhhh... I tried that already and for some reasons it's still going to the main index.
It's odd.

Hopefully this should not have anything to do with the fact that I am experimenting with the free splunk installation I have before sending it to the production one...

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 12:29 PM

does your custom index exists ?

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 12:31 PM

Yes, and I verified it has the same name (including the case, even though I am not sure it would make a difference).

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 01:08 PM

Oh my bad sorry .... try one of these settings:

[setindex_MySourceType]
REGEX = .
FORMAT = my_custom_i
DEST_KEY = _MetaData:Index
WRITE_META = true

or

[setindex_MySourceType]
REGEX = .
FORMAT = index::my_custom_i
DEST_KEY = _MetaData:Index
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...