Getting Data In

TCP:514 Input -> Multiple Indexex and Source Type

lpolo
Motivator

I have a TCP:514 input working without any problem but indexing in a single index.
I have not found a way to index events as follow:

Event A should be indexed in index=A
_time host="a.com" Type="A" ....... Any Key Value Pair

Event B should be indexed in index=B
_time host="a.com" Type="B" ....... Any Key Value Pair

How can I do that?

Thanks,
Lp

0 Karma

jconger
Splunk Employee
Splunk Employee

The Splunk Add-on for Cisco ASA (https://splunkbase.splunk.com/app/1620/) does something similar with sourcetypes. Using that add-on as an example, your props.conf should look something like this:

[source::tcp:514]
TRANSFORMS-force_indexes = force_index_A,force_index_B

Your transforms.conf should look something like this:

[force_index_A]
DEST_KEY = _MetaData:Index
REGEX = Type="A"
FORMAT = A

[force_index_B]
DEST_KEY = _MetaData:Index
REGEX = Type="B"
FORMAT = B

lpolo
Motivator

Thank you. It worked.
In case I would like to classify each index with a different sourcetype. How can I do that?

Thanks,
Lp

0 Karma

jconger
Splunk Employee
Splunk Employee

If you want to do index and sourcetype, your props.conf should look like this:

[source::tcp:514]
TRANSFORMS-force_indexes = force_index_A,force_index_B,force_sourcetype_A,force_sourcetype_B

And your transforms.conf file should look like this:

[force_index_A]
DEST_KEY = _MetaData:Index
REGEX = Type="A"
FORMAT = A

[force_index_B]
DEST_KEY = _MetaData:Index
REGEX = Type="B"
FORMAT = B

[force_sourcetype_A]
DEST_KEY = MetaData:Sourcetype
REGEX = Type="A"
FORMAT = sourcetype::sourcetype_A

[force_sourcetype_B]
DEST_KEY = MetaData:Sourcetype
REGEX = Type="B"
FORMAT = sourcetype::sourcetype_B
0 Karma

lpolo
Motivator

Thanks for the example.

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...