Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my log routing via props.conf and transforms.conf not working?

Shakeer_Spl
Explorer
‎08-04-2025 12:11 PM

Route logs from combined_large.log to webapp1_index or webapp2_index based on log content ([webapp1] or [webapp2]).

Setup:

  • Universal Forwarder: Windows (sending logs)

  • Indexer: Windows (receiving & parsing)

  • Logs contain [webapp1] or [webapp2]

  • Expect routing to happen on the Indexer

    Sample log:

    2025-05-03 16:41:36 [webapp1] Session timeout for user

    2025-04-13 20:25:59 [webapp2] User registered successfully

    inputs.conf (on UF):

    [monitor://C:\logs\combined_large.log]
    disabled = false
    sourcetype = custom_combined_log
    index = default

    props.conf (on Indexer):

    [custom_combined_log]
    TRANSFORMS-route_app_logs = route-webapp1_index, route-webapp2_index

    transforms.conf (on Indexer):

    [route-webapp1_index]
    REGEX = \[webapp1\]
    DEST_KEY = _MetaData:Index
    FORMAT = webapp1_index

    [route-webapp2_index]
    REGEX = \[webapp2\]
    DEST_KEY = _MetaData:Index
    FORMAT = webapp2_index

    Tried:

    • Verified file is being read

    • Confirmed btool loads configs

    • Restarted services

    • Re-indexed by duplicating the file

      Issue:

      Logs not appearing in either webapp1_index or webapp2_index

      Questions:

      • Is this config correct?

      • Am I missing a key step or wrong config location?

      • Any way to debug routing issues?

        Any help or insight would be greatly appreciated. Thanks in advance 🙏

         

         

Labels (1)
Labels
0 Karma
Reply

Shakeer_Spl
Explorer
‎08-10-2025 11:47 AM

sorry, for late response my issue has been fixed, thanks for your replies

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-10-2025 12:35 PM

Please share with the community what was wrong in your case - it might help others in the future.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎08-04-2025 01:52 PM

Hi @Shakeer_Spl 

Are you able to see the data land in *any* index? (e.g main?) If so, can you confirm the sourcetype matches that configured in inputs.conf?

I assume (but want to cheeck) that the indexes have been created on the Indexers, and that you have appropriate RBAC/access to view the contents?

Are you able to see the UF sending logs to _internal on your indexers? If not this would indicate that the issue lies with for output (from UF) or input (into IDX)

Are there any other props/transforms that apply to that sourcetype in your props.conf?

Sorry for all the questions (in addition to those already asked re HF etc) , there is a lot of establish in a situation like this!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-07-2025 12:47 AM
If you cannot find those events from any indexes, are you defined lastChangeIndex in your indexes.conf?
If not then it's time to add it.

lastChanceIndex = <index name>
* An index that receives events that are otherwise not associated
with a valid index.
* If you do not specify a valid index with this setting, such events are
dropped entirely.
* Routes the following kinds of events to the specified index:
* events with a non-existent index specified at an input layer, like an
invalid "index" setting in inputs.conf
* events with a non-existent index computed at index-time, like an invalid
_MetaData:Index value set from a "FORMAT" setting in transforms.conf
* You must set 'lastChanceIndex' to an existing, enabled index.
Splunk software cannot start otherwise.
* If set to "default", then the default index specified by the
'defaultDatabase' setting is used as a last chance index.
* Default: empty string
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-04-2025 12:30 PM

At first glance it should work.

1. Are you by any chance using INDEXED_EXTRACTIONS?

2. Is your data sent straight from UF to indexers or do you have any HF in the middle?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...