HI there,
I'm trying to redirect logs from syslog device to a separate index.. Does anyone see an error in this config?
[host::aaa.bbb.ccc.ddd]
TRANSFORMS-juniper_change_index = juniper_change_index
[juniper_change_index]
SOURCE_KEY = MetaData:Host
REGEX = (.*)
DEST_KEY = _MetaData:Index
FORMAT = juniper
Logs are still going to the main index. I have other working transforms that operate on sourcetypes and other fields, but for some reason, I've been unable to get this one based on source address working.
Thanks!
Please, try DEST_KEY = MetaData:Index w/o trailing _
r. Ismo
Unfortunately, DEST_KEY = MetaData:Index does not appear to have helped.
If you are reading those from local /var/log/messages then the hostname probably will be something different than aaa.bbb.ccc.ddd and then this transformation didn’t apply to those events.
The IP address was just a placeholder. I was using the actual address.
I resolved my issue by implementing your suggestion. I broke out logs by hostname, added the host in question's logs to separate log files, added the new data inputs and set the proper sourcetype and index, and now all is well in the world.
Thanks again for your help and your suggestion!
I should point out that I just realized that my rule may not be working because these particular logs are coming from the indexer's own /var/log/messages file (rsyslog), so my IP address is perhaps not going to work in this case. I initially tried using a host name which also didn't work, however perhaps your suggestion will work in either case. I will report back shortly. Thanks!
When you are using rsyslog one option is separate logs to own files based on events hostname or just use that hostname on your transforms stanza.
That is a fantastic point that I had completely forgotten about. We just recently upgraded the system hosting Splunk, and simply copied the configs, but I think that would be a much more sensible option in our case. Thanks very much for your help!