Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Set index on indexer

danbrook
Explorer
‎02-17-2017 04:40 PM

I'm trying to set up Windows Event Log collection via chained Universal Forwarders to my Indexer. I'm not able to set the index in inputs.conf so am trying to set it on the indexer but with no luck. I'm also manipulating the source ype and host field to show the original values, which is working fine.

So far I have:

props.conf
[source::WinEventLog:ForwardedEvents]
TRANSFORMS-Index = Set-Index
TRANSFORMS-Host = Set-Host-ComputerName
TRANSFORMS-LogName = Set-Sourcetype-LogName

transforms.conf
[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX source::WinEventLog:ForwardedEvents 
DEST_KEY = _MetaData:Index
FORMAT = index::MyIndex**

[Set-Host-ComputerName]
REGEX = (?m)ComputerName=(.*)?\b
DEST_KEY = MetaData:Host
FORMAT = host::$1

[Set-Sourcetype-LogName]
REGEX = (?m)LogName=(.*)?\b
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::WinEventLog:$1

My struggle is with setting the index at index time.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-18-2017 03:02 PM

Okay, that looks much better. Did you restart the indexer after making the change?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-18-2017 03:02 PM

Okay, that looks much better. Did you restart the indexer after making the change?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-18-2017 04:21 PM

You need something that matches - could be what you have now, could just be this:

[Set-Index]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = MyIndex

That'd match "raw event has at least one char", ie every event.

Reply
Solved! Jump to solution

danbrook
Explorer
‎02-18-2017 04:19 PM

That's now working! Thanks. Just a though, do I need the SOURCE_KEY part?

0 Karma
Reply
Solved! Jump to solution

danbrook
Explorer
‎02-18-2017 03:58 PM

Thanks Martin! That's working now. I must admit I'm still fuzzy on the why but I'm getting there. Many more Splunk Docs to read!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-18-2017 09:24 AM

Okay... next weird thing, the _MetaData:Index key doesn't want an index:: prefix - and I'm guessing the ** is not actually in your conf?

0 Karma
Reply
Solved! Jump to solution

danbrook
Explorer
‎02-18-2017 02:39 PM

OK, I now have this:
transforms.conf

[Set-Index]
SOURCE_KEY = MetaData:Source
REGEX = source::WinEventLog:ForwardedEvents 
DEST_KEY = _MetaData:Index
FORMAT = MyIndex

The logs are still hitting the main index.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-18-2017 04:13 AM

Make sure there's an equals sign after REGEX in line 10.

0 Karma
Reply
Solved! Jump to solution

danbrook
Explorer
‎02-18-2017 08:38 AM

Thanks, just spotted that. Corrected but logs still aren't being match or changed. So either the Regex is wrong or..?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...