Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Solved: Same log different indexers and index

biagiodipalma
Explorer
‎04-13-2021 08:01 AM

hi there,

I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:

 

 

[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2

 

 

Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.

So I need to change my index on indexers or on heavy forwarders. How can I do this?

##########
I've tried this on indexer:
props.conf

 

 

[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change

 

 

transforms.conf

 

 

[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-13-2021 10:47 AM

Hi @biagiodipalma 

Can you share the outputs.conf configuration?

I need that configuration to understand the forwarder routing

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

biagiodipalma
Explorer
‎04-13-2021 01:47 PM

On tre Forwarder the outputs.conf is like this:

[tcpout:groupA]
server=indexer1:9997

[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997

 

above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...