Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to store events coming from the same source in different indexes, depending on their content?

michaje
Explorer
‎12-06-2024 05:45 AM

Hi,

Perhaps this question has been asked before...  Is it possible to store events coming from the same source in different indexes, depending on their content?

The use case is that some events are more sensitive than others and need to be sent to different indexes.

In our case, the index name would appear within the event, as a formatted field, like [index: SENSITIVE].

The input is a TCP port.

Any help would be appreciated, and I prefer to take no as an answer than to be led into some intricate solution.

Thank you,

Jean

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-09-2024 08:28 AM

Hi

it’s possible, but what is your real issue what you are solving this way?

How your stream is generated in source side and are there several or only one source?

r. Ismo

Reply

michaje
Explorer
‎12-06-2024 07:23 AM

Thank you for the quick answer!

The question here is whether the <new-value> can be a variable found within the event using a regexp that would extract the value.

0 Karma
Reply

dural_yyz
Motivator
‎12-09-2024 06:14 AM

I believe so but I've never tested and I don't have a dev environment to verify.  You can try inside your regex to create an unnamed capture group.  Inside the FORMAT tag replace <new-value> with "$1".

Reply

michaje
Explorer
‎12-16-2024 06:27 AM

Thank you for the suggestion.  I could not test it, as an alternative approach has been adopted in the meantime.

0 Karma
Reply

dural_yyz
Motivator
‎12-06-2024 07:08 AM

transforms.conf

 [index_reset]
 SOURCE_KEY = _raw
 DEST_KEY =  _MetaData:index
 REGEX = .
 FORMAT = index::<new-value>

This searches the _raw data feed for the regex match (change my example), then applies the FORMAT to the DEST_KEY.

Test in development environment first to fine tune this process, it can be tricky to get the regex and format just right.

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...