Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Solved: Same log different indexers and index

biagiodipalma
Explorer
‎04-13-2021 08:01 AM

hi there,

I have some machines that collect Security logs from Windows. The universal forwarder on machines have this kind of conf:

 

 

[WinEventLog://Security]
index=a
_TCP_ROUTING=indexer1, indexer2

 

 

Indexer1 and indexer2 are part of two different Splunk Enterprise installations: for indexer1 the 'a' index is correct, but the indexer2 puts security logs on index 'b'.

So I need to change my index on indexers or on heavy forwarders. How can I do this?

##########
I've tried this on indexer:
props.conf

 

 

[source::WinEventLog:Security]
TRANSFORMS-indexing1 = idx_change

 

 

transforms.conf

 

 

[idx_change]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_Metadata:Index
FORMAT=b

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

biagiodipalma
Explorer
‎04-14-2021 03:24 AM

SOLVED: in inputs.conf just specify the sourcetype or the source in order to let indexer intercept data and apply the transforms' stanza.

So my inputs.conf is like this:

[WinEventLog://Security]
index=a
sourcetype=WinEventLog
source=WinEventLog:Security

_TCP_ROUTING=group a, group b

 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎04-13-2021 10:47 AM

Hi @biagiodipalma 

Can you share the outputs.conf configuration?

I need that configuration to understand the forwarder routing

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

biagiodipalma
Explorer
‎04-13-2021 01:47 PM

On tre Forwarder the outputs.conf is like this:

[tcpout:groupA]
server=indexer1:9997

[tcpout:groupB]
server=indexer2a:9997, indexer2b:9997

 

above I mentioned groupA as indexer1 and groupB as indexer2: groupB is made of two indexers in cluster 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...