Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

routing problem

dikaye
Path Finder
‎02-16-2011 09:54 AM

I have a FW server and the indexer server, the FW server use UDP 514 to receive all logs send from the remote devices, and the indexer server use tcp 9997 to receive all logs forward from the FW server, in the FW server and indexer server side, my props.conf are the same like that:

[host::211.167.20.156]
index = ironport_index

[host::211.167.20.29]
index = test_index1

[host::212.171.24.*]
index = test_index2

[host::212.171.214.165]
index = cisco_asa_

[syslog]
TRANSFORMS-routing = to_test_index3

And the transforms.conf like that:

[to_test_index3]
REGEX = ^\S+\s+\d+\s+\d+:\d+:\d+\s+192\.168\.2\.*
DEST_KEY = _MetaData:Index
FORMAT = test_index3

But it seems all logs don't go to the specify indexes, all go to the main index, I don't know why, do you have any idea? thanks.

Tags (1)
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎02-16-2011 06:10 PM

While it may seem counterintuitive, index = foo in props.conf has no meaning. The code won't do anything on that basis.

In order to get the index to be set based on the host key in your data, there must be a TRANSFORMS key pointing to a transform stanza.

At the input layer, controlled by inputs.conf, you can pre-set the target index for all data that input stanza receives, which is where you may have picked up this pattern.

In this type of arrangement, I think you want to use the same TRANSFORMS-routing key for all four stanzas, set to different values, so that the stanza layering system simply selects a different transform for each data category. Eg.

[host::211.167.20.156]
TRANSFORMS-routing = to_ironport_index

[host::211.167.20.29]
TRNAFORMS-routing = to_test_index1

[host::212.171.24.*]
TRANSFORMS-routing = to_test_index2

[host::212.171.214.165]
TRANSFORMS-routing = to_cisco_asa_index

[syslog]
TRANSFORMS-routing = to_test_index3

With transforms.conf entries for each that probably look something like:

[to_ironport_index]
SOURCE_KEY=_raw
REGEX=.
DEST_KEY=_MetaData:Index
FORMAT=ironport
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...