Getting Data In

Split syslog input into multiple indexes

hollow
Explorer

I'm trying to split messages that come into splunk via UDP:514 (single input, single sourcetype) into multiple indexes based on a regex that should be applied to the _raw message.

I've tried several suggestions i've found in splunk-base but nothing seems to work 😞

My current configuration looks like this:

inputs.conf

[tcp://8514]
connection_host = ip
sourcetype = syslog

props.conf

[syslog]
TRANSFORMS-index=route-to-index

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = index::myindex
WRITE_META = true

The inputs.conf is in etc/system/local/inputs.conf, props and transforms are in a custom app.

The goal is to filter based on the process name for now. The regex definitely matches the messages, but nothing appears in myindex.

1 Solution

dart
Splunk Employee
Splunk Employee

You're pretty close. In your

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = myindex
DEST_KEY = _MetaData:Index

Should do the trick.

View solution in original post

dart
Splunk Employee
Splunk Employee

You're pretty close. In your

transforms.conf

[route-to-index]
REGEX = ^<\d+>(app|pubsub|updater)(?:\[(\d+)\])?:\s
FORMAT = myindex
DEST_KEY = _MetaData:Index

Should do the trick.

hollow
Explorer

i could swear that i also had this variant in my configs before. but it seems to work now, thanks a lot! 🙂

0 Karma

zugji
Path Finder

Is this sill working if in inputs.conf an index is defined?
Let's say:

index = main
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...