Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my log routing via props.conf and transforms.conf not working?

Shakeer_Spl
Explorer
‎08-04-2025 12:11 PM

Route logs from combined_large.log to webapp1_index or webapp2_index based on log content ([webapp1] or [webapp2]).

Setup:

  • Universal Forwarder: Windows (sending logs)

  • Indexer: Windows (receiving & parsing)

  • Logs contain [webapp1] or [webapp2]

  • Expect routing to happen on the Indexer

    Sample log:

    2025-05-03 16:41:36 [webapp1] Session timeout for user

    2025-04-13 20:25:59 [webapp2] User registered successfully

    inputs.conf (on UF):

    [monitor://C:\logs\combined_large.log]
    disabled = false
    sourcetype = custom_combined_log
    index = default

    props.conf (on Indexer):

    [custom_combined_log]
    TRANSFORMS-route_app_logs = route-webapp1_index, route-webapp2_index

    transforms.conf (on Indexer):

    [route-webapp1_index]
    REGEX = \[webapp1\]
    DEST_KEY = _MetaData:Index
    FORMAT = webapp1_index

    [route-webapp2_index]
    REGEX = \[webapp2\]
    DEST_KEY = _MetaData:Index
    FORMAT = webapp2_index

    Tried:

    • Verified file is being read

    • Confirmed btool loads configs

    • Restarted services

    • Re-indexed by duplicating the file

      Issue:

      Logs not appearing in either webapp1_index or webapp2_index

      Questions:

      • Is this config correct?

      • Am I missing a key step or wrong config location?

      • Any way to debug routing issues?

        Any help or insight would be greatly appreciated. Thanks in advance 🙏

         

         

Labels (1)
Labels
0 Karma
Reply

Shakeer_Spl
Explorer
‎08-10-2025 11:47 AM

sorry, for late response my issue has been fixed, thanks for your replies

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-10-2025 12:35 PM

Please share with the community what was wrong in your case - it might help others in the future.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-04-2025 01:52 PM

Hi @Shakeer_Spl 

Are you able to see the data land in *any* index? (e.g main?) If so, can you confirm the sourcetype matches that configured in inputs.conf?

I assume (but want to cheeck) that the indexes have been created on the Indexers, and that you have appropriate RBAC/access to view the contents?

Are you able to see the UF sending logs to _internal on your indexers? If not this would indicate that the issue lies with for output (from UF) or input (into IDX)

Are there any other props/transforms that apply to that sourcetype in your props.conf?

Sorry for all the questions (in addition to those already asked re HF etc) , there is a lot of establish in a situation like this!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2025 12:47 AM
If you cannot find those events from any indexes, are you defined lastChangeIndex in your indexes.conf?
If not then it's time to add it.

lastChanceIndex = <index name>
* An index that receives events that are otherwise not associated
with a valid index.
* If you do not specify a valid index with this setting, such events are
dropped entirely.
* Routes the following kinds of events to the specified index:
* events with a non-existent index specified at an input layer, like an
invalid "index" setting in inputs.conf
* events with a non-existent index computed at index-time, like an invalid
_MetaData:Index value set from a "FORMAT" setting in transforms.conf
* You must set 'lastChanceIndex' to an existing, enabled index.
Splunk software cannot start otherwise.
* If set to "default", then the default index specified by the
'defaultDatabase' setting is used as a last chance index.
* Default: empty string
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-04-2025 12:30 PM

At first glance it should work.

1. Are you by any chance using INDEXED_EXTRACTIONS?

2. Is your data sent straight from UF to indexers or do you have any HF in the middle?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...