Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to classify into multiple indexes based on one sourcetype

silverKi
Path Finder
‎07-29-2024 10:50 PM

Currently, my sourcetype contains a mix of bank logs and card logs. I would like to categorize this into `index=bank` and `index=card` respectively.

Currently, the search is done with index=main, and all data is displayed. If index=bank, I want only bank-related logs to be output.

We set the forwarder as follows and created bank, card, and error indexes on the server that will receive the data.

This is the code I have written so far... I need help,,,,,

 

splunk@heavy-forwarder:/opt/splunk/etc/apps/search/local:> cat inputs.conf
[monitor:///opt/splunk/var/log/splunk/test.log]
disabled = false
host = heavy-forwarder
sourcetype = test
crcSalt = <SOURCE>

 

splunk@heavy-forwarder:/opt/splunk/etc/system/local:> cat props.conf
[test]
TRANSFORM-routing=bankRouting,cardRouting,errorRouting
splunk@heavy-forwarder:/opt/splunk/etc/system/local:> cat transform.conf
[bankRouting]
REGEX=bank
DEST_KEY =_INDEX
FORMAT = bankGroup

[cardRouting]
REGEX=card
DEST_KEY =_INDEX
FORMAT = cardGroup

[errorGroup]
REGEX=error
DEST_KEY =_INDEX
FORMAT = errorGroup
splunk@heavy-forwarder:/opt/splunk/etc/system/local:> cat outputs.conf
[tcpout:bankGroup]
server = 192.168.111.153:9997

[tcpout:cardGroup]
server = 192.168.111.151:9997

[tcpout:errorGroup]
server = 192.168.111.152:9997

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-07-2024 10:58 PM

OK. Apart from the fact that you're routing to servers (which - if these are clustered indexers should replicate the buckets), not redirecting to indexes (indexer is not the same as index), let me point out two things

1) You should not use the main index. It comes configured by default so that something is created in the environment but you should rather have properly configured indexes created according to your needs

2) Do you _need_ to split the data into indexes? (Two main reasons for splitting data into indexes are access rights and retention periods). That's not the same as using two different sourcetypes for two different kinds of data (which you should definitely do if the data formats do indeed differ).

0 Karma
Reply

silverKi
Path Finder
‎08-08-2024 12:58 AM

1) I would like to say thank you for your advice, I think I overlooked the main index. 

2) The main reason what I want to split from one source type say test, into index=bank, index=card, index=error is because I need to different access permissions.   

Reply

KendallW
Contributor
‎07-29-2024 11:05 PM

Hi @silverKi 

To classify logs into multiple indexes based on one sourcetype:
props.conf:

[test]
TRANSFORMS-routing = bankRouting,cardRouting,errorRouting

Note:
-the plural form TRANSFORMS-routing instead of TRANSFORM-routing.

transforms.conf:

[bankRouting]
REGEX = (?i)bank
DEST_KEY = _MetaData:Index
FORMAT = bank

[cardRouting]
REGEX = (?i)card
DEST_KEY = _MetaData:Index
FORMAT = card

[errorRouting]
REGEX = (?i)error
DEST_KEY = _MetaData:Index
FORMAT = error

Note:
-Use (?i) for case-insensitive matching
-Change DEST_KEY to _MetaData:Index
-FORMAT should be the exact index name

outputs.conf:

[tcpout]
defaultGroup = defaultGroup

[tcpout:defaultGroup]
server = 192.168.111.153:9997

[tcpout-server://192.168.111.151:9997]
index = card

[tcpout-server://192.168.111.152:9997]
index = error

 

 

 

0 Karma
Reply

silverKi
Path Finder
‎07-29-2024 11:32 PM

@KendallW ,,, Thank for your tips,, But when I search index=card in search app, The result is nothing.. 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2024 07:26 AM
Do you really have 3 different indexers which each contains own indexes like 1st card, 2nd bank and 3rd error indexes?
Or do you have one indexer (or cluster) which contains all those separate indexes?
0 Karma
Reply

silverKi
Path Finder
‎08-07-2024 06:43 PM

have one forwarder and three indexer servers.
Each indexer server holds the indexes index-card,  index=bank, index=error.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2024 11:23 PM

Then @KendallW ‘s answer should work with minor change on outputs.conf. You should just use default group and put all those indexers there and no index definitions into it. 

0 Karma
Reply

KendallW
Contributor
‎08-05-2024 05:03 PM

1. Does the "card" index exist?

2. Is any data at all being ingested to that index?

3. Are there any parsing or connectivity issues in the _internal index?

0 Karma
Reply

silverKi
Path Finder
‎07-29-2024 10:54 PM

This is my test.log 
[07-30-2024 02:19:22] +0900 INFO LMTracker [14307 MainThread] username=fIg-Jvkf, Visa, cardtype=credit, cardnumber=7085-5579-5664-8197, cvc=794, expireday=05/26, user-phone=852-9765-3539, comapny=IBK, com-tel=02-885-8485, address=7547 0c2F1YA76CHEkgw Street, city=Seoul, Country=Korea, status=500 Internal Server Error, Server error. Please try again later card.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top