Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Solved: Same log different indexers and index

biagiodipalma
Explorer
‎04-13-2021 08:01 AM

hi there,

I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:

 

 

[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2

 

 

Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.

So I need to change my index on indexers or on heavy forwarders. How can I do this?

##########
I've tried this on indexer:
props.conf

 

 

[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change

 

 

transforms.conf

 

 

[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-13-2021 10:47 AM

Hi @biagiodipalma 

Can you share the outputs.conf configuration?

I need that configuration to understand the forwarder routing

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

biagiodipalma
Explorer
‎04-13-2021 01:47 PM

On tre Forwarder the outputs.conf is like this:

[tcpout:groupA]
server=indexer1:9997

[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997

 

above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...