I have syslog-ng data coming from LWFs that have been earmarked for indexA. I want to intercept these events and reroute them to another index called indexB. It doesn't seem to be working. Am I missing something basic?
The sourcetype is syslog so in props I have:
[syslog]
TRANSFORMS-route = route2indexB
transforms.conf:
[route2indexB]
REGEX=(192.168.1.12)
DEST_KEY = _MetaData:Index
FORMAT = indexB
I've tried multiple iterations of this configuration including using source and host in props.conf. I can't seem to get the data to go to indexB.
Turns out the LWF was not a LWF. It was a heavyweight forwarder 🙂
Thanks to Raitz for figuring that out. He spotted the _linebreaker in the tcpdump output which is an indication of cooked data.
I had the system owner enable LWF from CLI and all is working as expected.
Turns out the LWF was not a LWF. It was a heavyweight forwarder 🙂
Thanks to Raitz for figuring that out. He spotted the _linebreaker in the tcpdump output which is an indication of cooked data.
I had the system owner enable LWF from CLI and all is working as expected.
Wow. Would have been easier if you'd sent a Splunk diag.
Here's the tcpdump command that was run at the indexer: /usr/sbin/tcpdump -A -s 1512 host
Continuing my comment:
Telling the LWF where to send the data should be cheaper (resourcewise) and quite easy.
here's an answer with a similar idea: http://answers.splunk.com/questions/5134/can-i-forward-different-data-inputs-to-different-splunk-ind...
I'm not here to babysit forwarders 😉 Not Ghetto.
Ghetto. If you had control over the forwarder configs, maybe you could actually be sure it was a LWF.
We have data from this host that is going to indexA. I really want to be able to keep my hands off the LWF configuration so I don't have to set those up.
instead of doing it with props/transforms, why do you not tell the LWF to send to indexB? Rerouting with props/transforms even if possible should cause slowness in indexing...
Simeon, how am I doing IT wrong?
Har Har Har, guys.
You are doing IT wrong
please provide a complete splunk diag