Re: Route events to different indexes based on hos...

Abha111 · ‎11-14-2021

Hi,

I want to send data to x index if the host is non prod and host name is like abc-nprd* for /var/log

However, would like to send data to y index if host is prod and host name is like abc-prd* for /var/log

Don't want to create multiple apps for prod and non prod. So is there is way I can achieve the above by deploying the same app to prod and non prod.

Any help appreciated.

Thanks.

bhargavi · ‎11-14-2021

Hi @Abha111 ,

Will the host name parameter come inside the events as well? If yes. you can simply define a regex in transforms.conf to route it to specific index.

Example below.

props.conf

[your_sourcetype]
enter your props
TRANSFORMS-routing=set_nonprod,setprod

transforms.conf
[set_nonprod]
REGEX = abc-nprd*
DEST_KEY = _MetaData:Index
FORMAT = index_x

[setprod]
REGEX = abc-prd*
DEST_KEY = _MetaData:Index
FORMAT = index_y

Try this. Let me know for any further questions. If this works, give thumbs-up 🙂

Happy Splunking!!

Route events to different indexes based on hostname

universal forwarder

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Route events to different indexes based on hostname

universal forwarder

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!