Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to store events coming from the same source in different indexes, depending on their content?

michaje
Explorer
‎12-06-2024 05:45 AM

Hi,

Perhaps this question has been asked before...  Is it possible to store events coming from the same source in different indexes, depending on their content?

The use case is that some events are more sensitive than others and need to be sent to different indexes.

In our case, the index name would appear within the event, as a formatted field, like [index: SENSITIVE].

The input is a TCP port.

Any help would be appreciated, and I prefer to take no as an answer than to be led into some intricate solution.

Thank you,

Jean

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2024 08:28 AM

Hi

it’s possible, but what is your real issue what you are solving this way?

How your stream is generated in source side and are there several or only one source?

r. Ismo

Reply

michaje
Explorer
‎12-06-2024 07:23 AM

Thank you for the quick answer!

The question here is whether the <new-value> can be a variable found within the event using a regexp that would extract the value.

0 Karma
Reply

dural_yyz
Motivator
‎12-09-2024 06:14 AM

I believe so but I've never tested and I don't have a dev environment to verify.  You can try inside your regex to create an unnamed capture group.  Inside the FORMAT tag replace <new-value> with "$1".

Reply

michaje
Explorer
‎12-16-2024 06:27 AM

Thank you for the suggestion.  I could not test it, as an alternative approach has been adopted in the meantime.

0 Karma
Reply

dural_yyz
Motivator
‎12-06-2024 07:08 AM

transforms.conf

 [index_reset]
 SOURCE_KEY = _raw
 DEST_KEY =  _MetaData:index
 REGEX = .
 FORMAT = index::<new-value>

This searches the _raw data feed for the regex match (change my example), then applies the FORMAT to the DEST_KEY.

Test in development environment first to fine tune this process, it can be tricky to get the regex and format just right.

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top