Solved: Split syslog input into multiple indexes

hollow · ‎10-05-2012

I'm trying to split messages that come into splunk via UDP:514 (single input, single sourcetype) into multiple indexes based on a regex that should be applied to the _raw message.

I've tried several suggestions i've found in splunk-base but nothing seems to work 😞

My current configuration looks like this:

inputs.conf

[tcp://8514]
connection_host = ip
sourcetype = syslog

props.conf

[syslog]
TRANSFORMS-index=route-to-index

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = index::myindex
WRITE_META = true

The inputs.conf is in etc/system/local/inputs.conf, props and transforms are in a custom app.

The goal is to filter based on the process name for now. The regex definitely matches the messages, but nothing appears in myindex.

dart · ‎10-08-2012

You're pretty close. In your

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = myindex
DEST_KEY = _MetaData:Index

Should do the trick.

View solution in original post

dart · ‎10-08-2012

You're pretty close. In your

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = myindex
DEST_KEY = _MetaData:Index

Should do the trick.

hollow · ‎10-29-2012

i could swear that i also had this variant in my configs before. but it seems to work now, thanks a lot! 🙂

zugji · ‎04-17-2017

Is this sill working if in inputs.conf an index is defined?
Let's say:

index = main

Split syslog input into multiple indexes

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024