Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to exclude in _MetaData:Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed in our environment, from many uf, the internal logs were indexed under a different index name. After investigation, I find it's related to some settings in transforms.conf.
So in transforms.conf, it's like:
[test_windows_index]
REGEX =.*
DEST_KEY = _MetaData:Index
FORMAT = rexall_windows
in props.conf, for certain hosts, there're settings like:
[host::testserver1]
TRANSFORMS-Microsoft_AD_1 = test_windows_index, Routing_testCloud
I believe I should try to exclude indexes like "_internal, _audit",
so I changed REGEX=.* to REGEX=[a-zA-Z0-9]+
but it doesn't seem to work.
Appreciate if somebody here can help or provide suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @tscroggins for your help!
I took it for granted that "REGEX=..." means "index=...", and I was confused by different results from 2 servers I was using for test. now I realized that one of them has "-" in computer name, thus my "REGEX=[a-zA-Z0-9]+" must have excluded.
Please correct me if I am wrong: the regex only works as "index=..." when "SOURCE_KEY = _MetaData:Index" is there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
Announcing Modern Navigation: A New Era of Splunk User Experience
