Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Solved: Same log different indexers and index

biagiodipalma
Explorer
‎04-13-2021 08:01 AM

hi there,

I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:

 

 

[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2

 

 

Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.

So I need to change my index on indexers or on heavy forwarders. How can I do this?

##########
I've tried this on indexer:
props.conf

 

 

[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change

 

 

transforms.conf

 

 

[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-13-2021 10:47 AM

Hi @biagiodipalma 

Can you share the outputs.conf configuration?

I need that configuration to understand the forwarder routing

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

biagiodipalma
Explorer
‎04-13-2021 01:47 PM

On tre Forwarder the outputs.conf is like this:

[tcpout:groupA]
server=indexer1:9997

[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997

 

above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...