Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to exclude in _MetaData:Index
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AllenZhang
Explorer
01-02-2022
08:41 AM
I noticed in our environment, from many uf, the internal logs were indexed under a different index name. After investigation, I find it's related to some settings in transforms.conf.
So in transforms.conf, it's like:
[test_windows_index]
REGEX =.*
DEST_KEY = _MetaData:Index
FORMAT = rexall_windows
in props.conf, for certain hosts, there're settings like:
[host::testserver1]
TRANSFORMS-Microsoft_AD_1 = test_windows_index, Routing_testCloud
I believe I should try to exclude indexes like "_internal, _audit",
so I changed REGEX=.* to REGEX=[a-zA-Z0-9]+
but it doesn't seem to work.
Appreciate if somebody here can help or provide suggestions.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-02-2022
09:43 AM
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AllenZhang
Explorer
01-02-2022
02:34 PM
Thanks a lot @tscroggins for your help!
I took it for granted that "REGEX=..." means "index=...", and I was confused by different results from 2 servers I was using for test. now I realized that one of them has "-" in computer name, thus my "REGEX=[a-zA-Z0-9]+" must have excluded.
Please correct me if I am wrong: the regex only works as "index=..." when "SOURCE_KEY = _MetaData:Index" is there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-02-2022
09:43 AM
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
Get Updates on the Splunk Community!
Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...
Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and Splunk ES
Protecting a ...
It's Customer Success Time at .conf25
Hello Splunkers,
Ready for .conf25? The customer success and experience team is and can’t wait to see you ...
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
