Getting Data In

TCP:514 Input -> Multiple Indexex and Source Type

lpolo
Motivator

I have a TCP:514 input working without any problem but indexing in a single index.
I have not found a way to index events as follow:

Event A should be indexed in index=A
_time host="a.com" Type="A" ....... Any Key Value Pair

Event B should be indexed in index=B
_time host="a.com" Type="B" ....... Any Key Value Pair

How can I do that?

Thanks,
Lp

0 Karma

jconger
Splunk Employee
Splunk Employee

The Splunk Add-on for Cisco ASA (https://splunkbase.splunk.com/app/1620/) does something similar with sourcetypes. Using that add-on as an example, your props.conf should look something like this:

[source::tcp:514]
TRANSFORMS-force_indexes = force_index_A,force_index_B

Your transforms.conf should look something like this:

[force_index_A]
DEST_KEY = _MetaData:Index
REGEX = Type="A"
FORMAT = A

[force_index_B]
DEST_KEY = _MetaData:Index
REGEX = Type="B"
FORMAT = B

lpolo
Motivator

Thank you. It worked.
In case I would like to classify each index with a different sourcetype. How can I do that?

Thanks,
Lp

0 Karma

jconger
Splunk Employee
Splunk Employee

If you want to do index and sourcetype, your props.conf should look like this:

[source::tcp:514]
TRANSFORMS-force_indexes = force_index_A,force_index_B,force_sourcetype_A,force_sourcetype_B

And your transforms.conf file should look like this:

[force_index_A]
DEST_KEY = _MetaData:Index
REGEX = Type="A"
FORMAT = A

[force_index_B]
DEST_KEY = _MetaData:Index
REGEX = Type="B"
FORMAT = B

[force_sourcetype_A]
DEST_KEY = MetaData:Sourcetype
REGEX = Type="A"
FORMAT = sourcetype::sourcetype_A

[force_sourcetype_B]
DEST_KEY = MetaData:Sourcetype
REGEX = Type="B"
FORMAT = sourcetype::sourcetype_B
0 Karma

lpolo
Motivator

Thanks for the example.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...