Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Transform to replace index does not work for two hosts

echalex
Builder
‎09-14-2017 03:00 AM

Due to certain reasons, we have a number of destination indexes that need to be rewritten before indexing. Basically a partner of ours is using the name fubar_company, while we use another. We have a number of rules in transforms.conf to rewrite. The failing example is below. The others are very similar.

This works for the entire infrastructure, except two Splunk servers, one search head and one cluster master. Both of them forward to the indexer cluster, with indexAndForward = false.

For a while, we received alerts for events being forwarded to a non-existing index. So I created the index and can see the events in index=os from both hosts. The splunk_server field reveals that the events end up in the correct indexers, but not index.

We're using Splunk 6.2.1. The files are distributed to the indexers through the cluster master.

props.conf:
[default]
TRANSFORMS-changeindex=redirIdxLinux # There are more transforms here, but this is the failing one

transforms.conf:
[redirIdxLinux]
REGEX = linux_company
SOURCE_KEY = _MetaData:Index
DEST_KEY = _MetaData:Index
FORMAT = os
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎09-14-2017 08:28 AM

do you have those setting pushed to your search head and cm as well? I believe that parsing will happen at the first full Splunk Enterprise instance along the way, which would be the servers themselves.

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎09-14-2017 08:28 AM

do you have those setting pushed to your search head and cm as well? I believe that parsing will happen at the first full Splunk Enterprise instance along the way, which would be the servers themselves.

Reply
Solved! Jump to solution

echalex
Builder
‎09-18-2017 05:02 AM

Yep, you're quite right. Actually, the thought occurred to me, so I copied the files to the relevant servers and did an |extract reload=T as per the documentation. However, it seems this doesn't take effect without a full restart. It works as expected after a restart.
Thanks!

Reply
Solved! Jump to solution

jluo_splunk
Splunk Employee
Splunk Employee
‎09-18-2017 07:44 AM

I believe the "|extract reload=T" was deprecated. Do you have admin capabilities on your splunk servers? You can go to :/debug/refresh to reload the transforms and props without a full restart.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...