Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rerouting to different index

cmlombardo
Path Finder
‎06-03-2015 12:27 PM

I can't seem to be able to reroute a sourcetype to a different index.

Here's props.conf:
[MySourceType]

# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

And here is my transforms.conf

[setindex_MySourceType]
SOURCE_KEY = MetaData:Sourcetype
REGEX = (?i)^sourcetype::MySourceType
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

What am I missing?!?

Thank you,
Claudio

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-03-2015 01:23 PM

Hi cmlombardo,

best thing would be to set the correct index at input level in the inputs.conf . But you can do this as well later on any Splunk server doing parsing. Maybe your regex does not match ; if you aplly this to one special sourcetype you can use something like this because you want to have anything from this sourcetype in the new index:

props.conf:
[MySourceType]
# makes sure it goes to the proper index.
TRANSFORMS-8_AssignToIndex = setindex_MySourceType

transforms.conf
[setindex_MySourceType]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = my_custom_i

As long as this is done at parsing level and the sourcetype matches exactly, you will get any new incoming events in the index=my_custom_i

Hope that helps ...

cheers, MuS

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 10:33 AM

Mhhh... I tried that already and for some reasons it's still going to the main index.
It's odd.

Hopefully this should not have anything to do with the fact that I am experimenting with the free splunk installation I have before sending it to the production one...

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 12:29 PM

does your custom index exists ?

0 Karma
Reply

cmlombardo
Path Finder
‎06-04-2015 12:31 PM

Yes, and I verified it has the same name (including the case, even though I am not sure it would make a difference).

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-04-2015 01:08 PM

Oh my bad sorry .... try one of these settings:

[setindex_MySourceType]
REGEX = .
FORMAT = my_custom_i
DEST_KEY = _MetaData:Index
WRITE_META = true

or

[setindex_MySourceType]
REGEX = .
FORMAT = index::my_custom_i
DEST_KEY = _MetaData:Index
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...