Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to change index based on MetaData:Source.

mskrzynski
Explorer
‎11-07-2022 06:46 AM

Hello, can anyone tell me why this configuration isn’t working?

I would like to change index name from main to hue, I’m getting data from db_connect from HF.

I would like to change the index name on main indexer.

 

transforms.conf

[set_index_hue]

SOURCE_KEY = MetaData:Source

REGEX = ^source::(stream\:Splunk_Postgres)$

DEST_KEY = _MetaData:Index

FORMAT = hue

 

props.conf

 

[stream:postgres]

TRANSFORMS-stream-postgres = set_index_hue

 

Best regards M.

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2022 08:58 AM

Why not change the inputs.conf setting to specify the proper index?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mskrzynski
Explorer
‎11-07-2022 08:58 AM

Hello again, sample of sources:

stream:Splunk_IP
stream:Splunk_Tcp
stream:Splunk_SSLActivity
stream:Splunk_Udp
stream:Splunk_DNSRequestResponse
stream:Splunk_DNSIntegrity
stream:Splunk_DNSServerQuery
stream:Splunk_DNSServerResponse
stream:Splunk_DNSClientQueryTypes
stream:Splunk_DNSClientErrors
stream:Splunk_Postgres

I would like to catch only stream:Splunk_Postgres

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 09:01 AM

Hi @mskrzynski,

if al this data source must go in the same index, you can specify this index in the input, the method you used is to override the index value.

Ciao.

Giuseppe

0 Karma
Reply

mskrzynski
Explorer
‎11-07-2022 09:04 AM

Hello, @gcusello I know,  I have to move only stream:postgres to diferent index

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 09:09 AM

Hi @mskrzynski,

please try this:

props.conf:

[source::stream:Splunk_postgres]
TRANSFORMS-stream-postgres = set_index_hue

transforms.conf

[set_index_hue]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = hue

Check the value of the data source for the stanza header in props.conf, it must be

[source::<data_dource>]

Ciao.

Giuseppe

Reply

mskrzynski
Explorer
‎11-07-2022 09:31 AM

Hello @gcusello, no luck 😞

props.conf

[source::stream:Splunk_postgres]
TRANSFORMS-stream-postgres = set_index_hue

transforms.conf

[set_index_hue]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = hue

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 11:50 PM

Hi @mskrzynski,

where do you located these files?

they must be in Indexers or (when present), as in your case, on Heavy Forwarders.

Then are you sure that the source is exactly "stream:Splunk_postgres" with attention to the letter case?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 07:55 AM

Hi @mskrzynski ,

what's a sample of the source to use for the regex?

the syntax is correct, the only possible problem is that the regex isn't correct.

Ciao.

Giuseppe

0 Karma
Reply

mskrzynski
Explorer
‎11-07-2022 08:38 AM

Hello, @gcusello I've attached some screenshots.

Best regards M.

 

Preview file
45 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 08:44 AM

Hi @mskrzynski,

I'm sorry but I probably didn't express myself well: the regex works on the source field, so I need a couple of examples of this field.

Maybe is it "stream:Splunk_Postgres"?

in this case, if it's fixed, you don't need to have the SOURCE_KEY in transforms.conf  and you can use an easier regex:

props.conf:

 

[stream:postgres]
TRANSFORMS-stream-postgres = set_index_hue

 

transforms.conf

 

[set_index_hue]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = hue

 

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...