Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Routing not working as expected

mikefoti
Communicator
‎11-23-2011 12:24 PM

I made the following edits in the to the local\props and transforms files in order to redirect all events coming from the Splunk UF on the host name fofrd to the index name tmg:

props.conf

[host::fofrd]
TRANSFORMS-force_index_for_fofrd = force_index_tmg

transforms.conf

[force_index_tmg]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = tmg

After the edits I restared splunkd and the SUF service on the other host. But I'm not getting what I expected. While I do get SOME events routed to the new TMG index, thy all seem to be related to the SplunkUF service itself. Other events, the ones I care about, still get forwarded to the defauel index.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikefoti
Communicator
‎11-25-2011 06:11 AM

Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mikefoti
Communicator
‎11-25-2011 06:11 AM

Thanks for your suggestion. Actually the host field in the events in the TMG index is in fact polulated with "fofrd". It looks now like the original edits I made were correct after all. I beleive I did not see any events becuase there were no events. But when I came in this AM to consider implementing your suggestion, I noticed plenty of events have been collected, without making any new changes.

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎11-23-2011 12:37 PM

The reason for this behavior is that the field host of those events is not fofrd. fofrd is the host of events that originate from the UF itself. What I suggest you to do in this case is to use either the host of the events or source:: (instead of host::) in your props and list all sources from that UF. Ex:

props.conf
[source::/my/path/being/monitored]
TRANSFORMS-force_index_for_fofrd = force_index_tmg

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...