Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Transform to replace index does not work for two hosts

echalex
Builder
‎09-14-2017 03:00 AM

Due to certain reasons, we have a number of destination indexes that need to be rewritten before indexing. Basically a partner of ours is using the name fubar_company, while we use another. We have a number of rules in transforms.conf to rewrite. The failing example is below. The others are very similar.

This works for the entire infrastructure, except two Splunk servers, one search head and one cluster master. Both of them forward to the indexer cluster, with indexAndForward = false.

For a while, we received alerts for events being forwarded to a non-existing index. So I created the index and can see the events in index=os from both hosts. The splunk_server field reveals that the events end up in the correct indexers, but not index.

We're using Splunk 6.2.1. The files are distributed to the indexers through the cluster master.

props.conf:
[default]
TRANSFORMS-changeindex=redirIdxLinux # There are more transforms here, but this is the failing one

transforms.conf:
[redirIdxLinux]
REGEX = linux_company
SOURCE_KEY = _MetaData:Index
DEST_KEY = _MetaData:Index
FORMAT = os
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎09-14-2017 08:28 AM

do you have those setting pushed to your search head and cm as well? I believe that parsing will happen at the first full Splunk Enterprise instance along the way, which would be the servers themselves.

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎09-14-2017 08:28 AM

do you have those setting pushed to your search head and cm as well? I believe that parsing will happen at the first full Splunk Enterprise instance along the way, which would be the servers themselves.

Reply
Solved! Jump to solution

echalex
Builder
‎09-18-2017 05:02 AM

Yep, you're quite right. Actually, the thought occurred to me, so I copied the files to the relevant servers and did an |extract reload=T as per the documentation. However, it seems this doesn't take effect without a full restart. It works as expected after a restart.
Thanks!

Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-18-2017 07:44 AM

I believe the "|extract reload=T" was deprecated. Do you have admin capabilities on your splunk servers? You can go to :/debug/refresh to reload the transforms and props without a full restart.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...