Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: how to exclude in _MetaData:Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed in our environment, from many uf, the internal logs were indexed under a different index name. After investigation, I find it's related to some settings in transforms.conf.
So in transforms.conf, it's like:
[test_windows_index]
REGEX =.*
DEST_KEY = _MetaData:Index
FORMAT = rexall_windows
in props.conf, for certain hosts, there're settings like:
[host::testserver1]
TRANSFORMS-Microsoft_AD_1 = test_windows_index, Routing_testCloud
I believe I should try to exclude indexes like "_internal, _audit",
so I changed REGEX=.* to REGEX=[a-zA-Z0-9]+
but it doesn't seem to work.
Appreciate if somebody here can help or provide suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot @tscroggins for your help!
I took it for granted that "REGEX=..." means "index=...", and I was confused by different results from 2 servers I was using for test. now I realized that one of them has "-" in computer name, thus my "REGEX=[a-zA-Z0-9]+" must have excluded.
Please correct me if I am wrong: the regex only works as "index=..." when "SOURCE_KEY = _MetaData:Index" is there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The default value for SOURCE_KEY is _raw, so REGEX matches against the raw event data.
Events headed for internal indexes should already have an index value defined, so you might try matching against _MetaData:Index and reformatting when the current value does not begin with an underscore:
[test_windows_index]
REGEX = ^(?!_).
FORMAT = rexall_windows
DEST_KEY = _MetaData:Index
SOURCE_KEY = _MetaData:Index
This should work for unstructured source types; however, data for events cooked by the forwarder, e.g. with INDEXD_EXTRACTIONS or force_local_processing = true in props.conf, may not have transforms applied by a heavy forwarder or indexer.
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
